British Airways has announced that its website ba.com and mobile app has been subject to a data breach.
The airline issued a statement in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of nearly two weeks between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 have had their personal and financial details compromised.
BA has stated that it is contacting affected customers who are advised to contact their banks and credit card companies for appropriate advice. The full statement is as follows:
British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.
From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.
The breach has been resolved and our website is working normally.
British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.
We have notified the police and relevant authorities.
Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
British Airways will provide further updates when appropriate.
BA has also published guidance for affected customers on its website ba.com
It is noteworthy that BA’s parent company International Airlines Group has issued the above statement to the stock exchange so this is clearly a significant and share price sensitive event.
BA is required by law to notify the Information Commissioner’s Office with 72 hours of becoming aware of the breach. The ICO has the power to levy very substantial fines in the event of a failure to properly report a breach.
Update Friday 7 September 2018
BA has updated its published guidance on the morning of Friday 7 September to advise that the breach also affects any passengers who made changes to existing bookings during the period of the breach.
The scope of changes (eg free or paid for seat assignments etc) is not defined but this means the breach could affect very many more passengers.
BA has also confirmed that it will fully reimburse passengers for any financial losses as a direct consequence of the security breach. It will also not ask customers to review/update payment card details and any unsolicited requests for this information should not be fulfilled.
The Information Commissioner’s Office has issued a short statement confirming contact with BA:
“British Airways has made us aware of an incident and we are making enquiries.”
National Cyber Security Centre Response
The UK Government’s National Cyber Security Centre, part of GCHQ, has published guidance for affected customers.
American Express Response
American Express, which issues a number of BA branded credit cards has provided the following response to customers by e-mail:
I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.
We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.
There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.
If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.
Thank you for your continued Cardmembership.