British Airways “deeply sorry” for website hack - 380,000 card details stolen

7 September 2018

British Airways (BA) is investigating the theft of customer data from its website and its mobile app following a data breach.

The airline said that 380,000 payment cards had been compromised and that it was investigating the breach as a “matter of urgency”. The police have been notified and the National Crime Agency and the National Cyber Security Centre are also assessing the hack.

Read more: 10 tips to beef up your cyber security

BA said that between 22:58 21 August 2018 and 21:45 5 September 2018 hackers stole the personal and financial details of customers making bookings on its website and the airline’s app. The stolen data did not include travel or passport details.

After a breach like this it is always a good idea to change your passwords. Customers who made bookings using the website or the app are also being urged to contact their banks and credit card providers. You should check your card statements for any suspicious activity if you think you might have been affected or are contacted by the airline. 

Banks such as Monzo and Starling Bank have taken aggressive action to protect their own customers who transacted with BA in the affected time period, replacing customer cards. The companies tweeted:

Last night, we contacted 1,300 customers affected by the British Airways data breach and ordered them new cards as a precaution to protect them from fraud.

— Monzo (@monzo) September 7, 2018

Following the @British_Airways data breach announcement we have ordered replacement debit cards for all customers who spent money with BA from 21st August to 5th September.

Affected customers will receive a message by email.

— Starling Bank (@StarlingBank) September 7, 2018

Alex Cruz, BA’s chairman and chief executive says: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

The airline has taken out advertisements in the national press apologising for the breach.

The data theft comes as a further blow to the reputation of the airline after it experienced a serious IT failure in May last year which caused huge disruption to passengers, leaving thousands stranded.

Rob Burgess, editor of UK frequent flyer website, says: "Data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated.  Unfortunately, this is likely to be another PR disaster for British Airways, especially as it includes tickets bought in their September sale which is being widely promoted at the moment.  

“Following on from the IT meltdown last year, it seems that the decision to outsource the majority of BA's IT to India is yet again coming back to haunt them.  The airline has actually been working hard and succeeding of late, to reverse many of the recent cuts to in-flight service in an attempt to improve its public image.  Sadly, this data breach is likely to knock back its efforts." 

Will there be compensation?

BA says it will be contacting affected customers directly about what has happened and is advising them to contact their banks or credit card providers and follow their recommended advice.

Regarding compensation, every customer affected will be fully reimbursed and BA will pay for a credit checking service. 

As the incident has been resolved and the BA website is working normally, all customers booked on flights will be able to check in as normal. Future bookings will also not be affected.

Be aware of follow-up scams

Financial trade body UK Finance is warning consumers that criminals could use the publicity from the breach to pose as an official from BA and steal your data.

Katy Worobec, managing director of economic crime at UK Finance, says: “Often the criminal will pretend to be from the impacted company, such as British Airways, or claim they are dealing with an issue resulting from the data breach.

“Fraudulent emails, phone calls or text messages often claim there has been fraud on an account or the customer needs to verify or update details. The communication often suggests the request is urgent or asks for remote access to the customer’s computer.”

She adds: “Using the data breach as a cover story, the criminal will then attempt to get the recipient to disclose personal or financial information, which they will then use for their own fraudulent purposes.”

Add new comment