British Airways Customer Data Breach Update

British Airways has issued an update on the progress of its investigation into the theft of data from its website.

London Air Travel » British Airways » British Airways Website & Mobile Apps » British Airways Customer Data Breach Update

British Airways Logo (Image Credit: British Airways)
British Airways Logo (Image Credit: British Airways)

British Airways has today, Thursday 25 October 2018, issued a statement on the progress of its investigation in to the theft of customer data from its website.

The airline first advised in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of nearly two weeks between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 had their personal and financial details compromised.

The airline has now advised that more customers may have had their personal financial details compromised and is in the process of contacting affected customers.

This include customers making reward bookings between Saturday 21 April 2018 and Saturday 28 July 2018.

Affected customers will be notified by Friday 26 October 2018.

BA Statement Thursday 25 October 2018

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.

In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.

We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.

Information Commissioner’s Office Statement

In response to today’s statement the Information Commissioner’s Office has advised:

“The ICO’s investigation into a cyber attack at British Airways is ongoing. Meanwhile, we advise people who may have been affected to be vigilant when checking their financial records and to follow the advice on the ICO, National Cyber Security Centre and Action Fraud websites about how they can protect themselves and their data online.

Update: Friday 26 October 2018

Willie Walsh, CEO of BA’s parent company International Airlines Group, spoke briefly about the matter when it released its 3rd quarter financial results on Friday 26 October 2018.

Two cyber security firms have carried out a forensic investigation on the cyber attack. IAG has also been working with the National Cyber Security Centre, which is part of GCHQ, and the National Crime Agency. The identity of the individual or organisation that carried out the cyber attack is not known.

However, IAG knows that it was a single attacker doing different things over a period of time. IAG considers that it understands exactly how the attacker secured access to BA’s systems, what the attacker did, and when, and what data was viewed.

Whilst there is evidence that customer data was viewed, there is no evidence to indicate that customer data was actually extracted from BA’s systems. It appears that it was not the billing and payment systems that were specifically compromised.

IAG did not give any more detail as a criminal investigation is underway but will give a more detailed explanation about what happened when it is able to do so.

We welcome any thoughts and comments below: