British Airways has apologised as it faced a backlash after thousands of customers were left compromised following a 15-day data breach.
The airline said that around 380,000 card payments had been compromised and urged anyone who suspected they may have been affected to contact their bank or credit card provider.
BA said it had been the victim of a ‘sophisticated, malicious criminal attack’ carried out on its website.
‘We’re extremely sorry,’ said BA boss Alex Cruz told the BBC.
‘I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.
‘We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.’
The company also placed adverts apologising in several newspapers on Friday.
And Mr Cruz said the airline would reimburse all customers following the attack.
‘We are 100% committed to compensate them, period,’ BA boss Alex Cruz told the BBC.
‘We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.’
The airline had revealed the hack on Thursday night, claiming: ‘British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.
‘The breach has been resolved and our website is working normally.’
The breach took place August 21 and September 5.
BA says all customers affected by the breach had been contacted.
What happened and who is affected?
BA says “criminal activity” compromised the personal and financial details of customers who made bookings on its website or app between 10.58pm on August 21 until 9.45pm on Wednesday, September 5. No passport or travel details were stolen.
What does it mean for customers?
While passport or travel details haven’t been taken, the fact that personal details have been compromised means customers’ names, addresses and card details may be at risk, putting them at risk of fraudulent online purchases or card cloning.
What is British Airways doing now?
BA said it was investigating the vast breach “as a matter of urgency”, while the National Crime Agency and National Cyber Security Centre are also assessing the hack.
The airline says it is in the process of contacting all affected customers.
Alex Cruz, BA’s chairman and chief executive, said it was “deeply sorry for the disruption that this criminal activity has caused”, adding: “We take the protection of our customers’ data very seriously”.
A spokesman for the Information Commissioner’s Office said they will be making inquiries about the data theft.
What should you do if you think you’re affected?
BA is urging anyone who suspects they have been affected to contact their bank or credit card provider and follow their advice.
Banks including NatWest and RBS have attempted to reassure worried customers that they have “significant” levels of security in place, although they advised account holders to be on the lookout for any suspicious activity.
Which? said anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers could try and take advantage of it.
How are people reacting?
Customers have been left furious amid reports of banks being inundated with calls, leaving account holders in lengthy queues, while some BA customers said they had to have cards cancelled and reissued as a result.
Some have taken to social media and helplines to voice their concern and annoyance at the situation.
Wow @British_Airways are a shambles. They really to get themselves together. If it’s not a data breach, it’s an IT systems failure and if not systems related then it’s threatening kids to be thrown off a flight. Negative press galore… https://t.co/9RvQKEVWsq
— Amit Patel (@AmitBhupsPatel) September 7, 2018
Customer Mat Thomas said he had placed a booking on August 27, but had not been contacted over the breach.
“Atrocious that I had to find out about this via news and twitter,” he tweeted.
“Called bank and had to cancel both mine and my wife’s card. Probably won’t get it back before we fly (ironically). Terrible handling of the situation as I’ve still not received an email from BA!”
I'm so annoyed with British Airways today. I booked a number of flights over the period that data was compromised. Their website it poor at the best of times but to allow such a big data breach, for so long, is unbelievable. At least American Express are on top of their game.
— Daisy (@wildhampshire) September 7, 2018
Gemma Theobald said she had booked on Sunday and only found out about the breach on Twitter.
She tweeted: “My bank… are experiencing extremely high call volumes due to this breach! Couldn’t do anything other than cancel my card… not how I wanted to spend my Thursday evening”.
Do you have to worry if you’re planning to book with BA?
The airline says the incident has been resolved and all systems are working normally. Customers due to travel can check in online as normal.
Future bookings will not be affected, BA said.
Has this happened to BA before?
It may not have been a data breach, but BA passengers faced woes when an IT meltdown caused huge disruption at the start of the May half-term holiday, leaving 75,000 passengers stranded after the airline was forced to cancel nearly 726 flights over three days.
BA’s data breach follows a massive incident that saw round 10 million records containing personal data of Dixons Carphone customers accessed.
The company said there was evidence that some of the data “may have left our systems”, although the records did not contain payment card or bank account details and there was no evidence that any fraud has resulted.