Friday September 7, 2018
Oliver Gill Olivia Rudgard
British Airways has launched an “urgent” investigation and notified police after hundreds of thousands of customers’ personal and financial details were stolen.
The airline said the hack continued for almost two weeks, between August 21 and September 5, with 380,000 payments compromised.
Stolen information did not include travel or passport details.
Customers who made bookings through ba.com or the airline’s app are being urged to contact banks and credit card providers.
Alex Cruz, British Airways' chairman and chief executive, said: "We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously."
Customers raised concerns that the airline had not contacted them directly to tell them about the hack.
Daniel Willis, 34, from Milton Keynes who booked a flight on Monday with the airline, said: "I saw the tweet, that was the first I knew of it. This is my first involvement with BA since they left me stranded with my wife and 2-year-old daughter for a few days in Düsseldorf in December - again with no communication.
"I’ve not heard anything from them on this and I’ve just had to cancel the card I used. They’re a shambles."
Stephanie Jowers, who works in tech and is from New York, said she contacted the airline just hours before the hack was announced on Twitter with concerns about charges on her account, but was not informed that it could have been compromised.
"I contacted BA customer service by phone three hours prior to the Twitter announcement. I was unclear about the ‘fee’ charged referencing my booking reference number. They put me on hold for a bit. Then the rep told me I would be 'refunded within 24 hours'. I asked repeatedly for an explanation. None was given. No case ID provided either or further contact information for follow-up issues," she told the Daily Telegraph.
She had booked flights during the window of time the airline said their systems had been affected, and the charge had appeared on the booking a week after she paid for the flights. When she contacted her bank following BA's announcement the bank advised her to cancel her card immediately.
Under GDPR rules, companies must inform regulators within 72 hours of becoming aware of a data breach.
"If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay," according to guidelines from the Information Commissioner’s Office (ICO), the independent regulator that upholds information rights in Britain.
The ICO said it had been alerted to the British Airways hack. A spokesman said it would be “making inquiries”, but declined to comment further given the airline’s investigations were “at a very early stage”.
The data breach is the latest in a string to hit the airline sector. Last week Air Canada confirmed a data breach affecting 20,000 customers. In July, Thomas Cook admitted names, emails and flight details had been accessed, although the travel and airline company insisted fewer than 100 bookings had been compromised.
In May, US airline Delta admitted to two breaches during September and October last year.
Rob Burgess, editor of UK frequent flyer website www.headforpoints.com, said: "Data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated. Unfortunately, this is likely to be another PR disaster for British Airways, especially as it includes tickets bought in their September sale which is being widely promoted at the moment.
"Following on from the IT meltdown last year, it seems that the decision to outsource the majority of BA's IT to India is yet again coming back to haunt them. The airline has actually been working hard and succeeding of late, to reverse many of the recent cuts to in-flight service in an attempt to improve its public image. Sadly, this data breach is likely to knock back its efforts."