British Airways is investigating a data breach of customer data from its website and app over a two-week period and has urged customers affected to contact their banks or credit card providers. The airline said around 380,000 payment cards had been compromised and it had notified the police.
BA said all customers affected by the breach had been contacted on Thursday night. The breach only affects people who bought tickets during the time-frame provided by BA, and not on other occasions.
British Airways says it was not a breach of the airline’s encryption. “There were other methods, very sophisticated efforts, by criminals in obtaining our data,” BA’s chief executive, Álex Cruz, said.
In a statement the company said,
The stolen data did not include travel or passport details. From 22.58 BST August 21 2018 until 21.45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised. The breach has been resolved and our website is working normally.
“British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.
“We have notified the police and relevant authorities.”
Under the new European GDPR data protections laws, the airline can face fines of up to four percent of its global annual revenue.
The National Crime Agency said: “We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action.”
A spokesman for the Information Commissioner’s Office said “British Airways has made us aware of an incident and we are making enquiries.”