British Airways boss Alex Cruz has apologised to customers for what he describes as a “sophisticated data breach”.
Cruz told the BBC that hackers carried out a “malicious criminal attack” on its website, compromising its security systems.
Promising compensation to customers, the airline said personal and financial details of customers making or changing bookings had been compromised. Approximately 380,000 transactions have been affected, but the stolen data did not include travel or passport details.
We are 100% committed to compensate them, period,” Mr Cruz told the BBC’s Today programme. We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.
BA told the BBC the breach occurred between 22:58 BST on 21st August and 21:45 BST on 5th September.
On the Today programme Mr Cruz said:
We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.
We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.
The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.
A spokesperson said the airline had contacted all customers affected by the breach on Thursday evening. Apparently the breach only affects customers who purchased tickets during the timeframe provided by BA, and not on other occasions.
Mr Cruz also added:
At the moment, our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data.
Last Friday a number of newspapers featured adverts in which British Airways apologises for the sophisticated data breach.
What information was stolen?
Alex Cruz said:
It was name, email address, credit card information – that would be credit card number, expiration date and the three digit [CVV] code on the back of the credit card.
The airline was insistent that it does not store CVV numbers. However, since the attackers managed to obtain CVV numbers, security experts speculated that card details were intercepted, rather than retrieved from BA’s database.
How did the hackers gain access?
How did hackers get into British Airways? …and how could they use this data?
Once online fraudsters have obtained people’s personal information, they they could potentially access people’s bank accounts. They could even open new accounts or use the individuals’ details to make fraudulent purchases. They could also sell on your details to other criminals.
What should affected customers do?
If you have been affected by this breach, you should:
- immediately change your online passwords.
- regularly monitor your bank and credit card accounts for any unusual transactions.
- Be wary of any emails or phone calls asking for more information to help deal with the data breach
(crooks often pose as police, banks or, in this instance they could even pretend to be from BA.)
BA customer Jorg Herrera, from Amersham, received an email from the airline having booked tickets with BA last month.
I have six cards linked to my BA account,” he told the BBC. “I have no idea how much of my information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc, related to those cards. This will take a long time, something I have to do with no help from BA. This whole thing is terribly concerning and really annoying.
Duty of care
British Airways could now face financial penalties from the Information Commissioner’s Office (ICO), which is investigating the breach.
Rachel Aldighieri, managing director of the Direct Marketing Association, said:
British Airways has a duty of care to ensure their customer data is secure. They need to demonstrate that they have done everything in their power to ensure such a breach doesn’t happen again.
The risks go far beyond the fines regulators can issue – albeit that these could be hefty under the new [EU data protection] GDPR regime.
Under the GDPR, fines can be up to 4% of annual global revenue. BA’s total sales revenue for the year ending 31 December 2017 was £12.226 billion. This could mean a potential fine of up to £489m. The National Crime Agency and National Cyber Security Centre also confirmed they are looking into the incident.