London, UK : British Airways said on Thursday that for two weeks from August 21 hackers stole customer data from its website and mobile app in a data breach involving 380,000 payment cards. British Airways said the stolen information was personal and financial details of customers making bookings, but not did not relate to travel or passports.
BA said the breach took place between 2158 GMT on August 21 and 2045 GMT on September 5.
“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details,” the airline said in a statement.
“The personal and financial details of customers making bookings on our website and app were compromised,” it said.
“The breach has been resolved and our website is working normally. We have notified the police and relevant authorities. “We are deeply sorry for the disruption that this criminal activity has caused.”
It said it had resolved the breach, contacted affected customers, and notified authorities, which include the UK Information Commissioner’s Office.
Alex Cruz, BA’s chairman and chief executive, said: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
The breach came at the height of the summer season.
British Airways advised anyone who believed they may have been affected to contact their bank or credit card provider and follow their recommendations.
As for compensation, BA said: “We will be contacting customers and will manage any claims on an individual basis.”
It said customers due to travel could check in online as normal as the incident had been resolved.
We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action. — NationalCrimeAgency (@NCA_UK) September 6, 2018
BA is the latest major UK company to report such an attack – seemingly the largest since the owner of Currys PC World, Dixons Carphone, admitted in early summer that nine million of its customers had been hit by a data breach.
The theft is also likely to lead to a union backlash after criticism of the airline’s decision to outsource IT work to India.
The issue came to the fore after a costly IT failure last year that left 75,000 passengers stranded.
In April this year, Delta Air Lines announced one of its suppliers had been the victim of a data breach, while last week Air Canada said its mobile app had been breached, potentially affecting 20,000 people.
In May 2018, a report from PA Consulting, said a “hyper-connected model” where passengers in airports wanted fast internet and digital engagement with airlines and retailers brought “a larger attack surface for cyber criminals to exploit”.
There were 1,000 cyber attacks each month on aviation systems in 2016, according to the European Aviation Safety Agency.
Last year, Latam Airlines and Ukraine’s Boryspil airport were indiscriminately hit by ransomware, and in 2016 Vietnam Airlines had to carry out its operations at airports by hand after hackers took down its website.
In August, traffic on IAG, the parent group of BA and Iberia, grew 7 per cent over the previous year in terms of available seat kilometres, a standard industry unit.