British Airways Customer Data Breach Update

British Airways has issued an update on the progress of its investigation into the theft of data from its website.

London Air Travel » British Airways » British Airways Website & Mobile Apps

British Airways Logo (Image Credit: British Airways)
British Airways Logo (Image Credit: British Airways)

British Airways has today, Thursday 25 October 2018, issued a statement on the progress of its investigation in to the theft of customer data from its website.

The airline first advised in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of nearly two weeks between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 had their personal and financial details compromised.

The airline has now advised that more customers may have had their personal financial details compromised and is in the process of contacting affected customers.

This include customers making reward bookings between Saturday 21 April 2018 and Saturday 28 July 2018.

Affected customers will be notified by Friday 26 October 2018.

BA Statement Thursday 25 October 2018

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.

In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.

We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.

Information Commissioner’s Office Statement

In response to today’s statement the Information Commissioner’s Office has advised:

“The ICO’s investigation into a cyber attack at British Airways is ongoing. Meanwhile, we advise people who may have been affected to be vigilant when checking their financial records and to follow the advice on the ICO, National Cyber Security Centre and Action Fraud websites about how they can protect themselves and their data online.

Update: Friday 26 October 2018

Willie Walsh, CEO of BA’s parent company International Airlines Group, spoke briefly about the matter when it released its 3rd quarter financial results on Friday 26 October 2018.

Two cyber security firms have carried out a forensic investigation on the cyber attack. IAG has also been working with the National Cyber Security Centre, which is part of GCHQ, and the National Crime Agency. The identity of the individual or organisation that carried out the cyber attack is not known.

However, IAG knows that it was a single attacker doing different things over a period of time. IAG considers that it understands exactly how the attacker secured access to BA’s systems, what the attacker did, and when, and what data was viewed.

Whilst there is evidence that customer data was viewed, there is no evidence to indicate that customer data was actually extracted from BA’s systems. It appears that it was not the billing and payment systems that were specifically compromised.

IAG did not give any more detail as a criminal investigation is underway but will give a more detailed explanation about what happened when it is able to do so.

British Airways Customer Data Breach

British Airways has advised that customers who booked flights on its website between 21 August 2018 and 5 September 2018 have had their data compromised.

London Air Travel » British Airways » British Airways Website & Mobile Apps

British Airways Logo (Image Credit: British Airways)
British Airways Logo (Image Credit: British Airways)

British Airways has announced that its website and mobile app has been subject to a data breach.

The airline issued a statement in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of nearly two weeks between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 have had their personal and financial details compromised.

BA has stated that it is contacting affected customers who are advised to contact their banks and credit card companies for appropriate advice. The full statement is as follows:

British Airways is investigating, as a matter of urgency, the theft of customer data from its website, and the airline’s mobile app. The stolen data did not include travel or passport details.

From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on and the airline’s app were compromised.

The breach has been resolved and our website is working normally.
British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice. 

We have notified the police and relevant authorities.

Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
British Airways will provide further updates when appropriate.

BA has also published guidance for affected customers on its website

It is noteworthy that BA’s parent company International Airlines Group has issued the above statement to the stock exchange so this is clearly a significant and share price sensitive event.

BA is required by law to notify the Information Commissioner’s Office with 72 hours of becoming aware of the breach. The ICO has the power to levy very substantial fines in the event of a failure to properly report a breach.

Update Friday 7 September 2018

BA has updated its published guidance on the morning of Friday 7 September to advise that the breach also affects any passengers who made changes to existing bookings during the period of the breach.

The scope of changes (eg free or paid for seat assignments etc) is not defined but this means the breach could affect very many more passengers.

BA has also confirmed that it will fully reimburse passengers for any financial losses as a direct consequence of the security breach. It will also not ask customers to review/update payment card details and any unsolicited requests for this information should not be fulfilled.

The Information Commissioner’s Office has issued a short statement confirming contact with BA:

“British Airways has made us aware of an incident and we are making enquiries.”

National Cyber Security Centre Response

The UK Government’s National Cyber Security Centre, part of GCHQ, has published guidance for affected customers.

American Express Response

American Express, which issues a number of BA branded credit cards has provided the following response to customers by e-mail:

Dear Cardmember,

I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.

We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.

There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.

If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.

Thank you for your continued Cardmembership.

BA upgrades its smartphone apps to include automatic rebooking during disruption

London Air Travel » British Airways » British Airways Website & Mobile Apps

British Airways iPad App
British Airways iPad App

One of the many perennial criticisms of British Airways is its handling of disruption at its hub at London Heathrow.  The airport is full, so when there is severe weather, the airline is forced to cancel flights, with short-haul flights always bearing the brunt.  What usually follows is long queues at ticketing desks to be rebooked.

BA announced at the annual Capital Markets Day of its parent company International Airlines Group last year that it was working on automatic rebooking tools during disruption.

BA has today released an update for its smartphone app which includes the option to rebook on to alternative flights during disruption. However, this will initially only be for selected customers. We presume this is for testing purposes.

In addition, most if not all customers should now have a “timeline” feature for each booking on the app which provides a countdown for future bookings and services that are available in connection with that booking.

If you haven’t already done so, we do recommend that all travelers (whether a frequent or once a year BA flyer) download the BA smartphone app. It is the easiest way to keep track of flights both before the day of travel and at the airport. From experience we find it is often ahead of other sources for learning of delays.

It is also an easy way to keep on track of fixed price upgrade offers for existing bookings and being able to book flights without tripping over adverts for hotels and car hire as you do on!

We also recommend that for security reasons software updates for apps are downloaded as soon as they become available.

BA website suffers major outage – Tuesday 11 April 2017

British Airways’ website experienced a major outage on Tuesday 11 April 2017.

London Air Travel » British Airways » British Airways Website & Mobile Apps Error Message – Tuesday 11 April 2017

If you have tried to visit the BA website at any point today, you will have no doubt received the error message above.

The BA website has been down all day today.  No reason has been given for this, other than “technical issues”.  Whatever the issue is it must be very substantial.  As is BA’s main selling channel, you can be confident there is a lot of pressure to get the website back up and running.

It is also not possible to check bookings via the BA smartphone app.  However, live flight information appears to be available on the app.

In light of the fact that online check-in is not available you are strongly advised to allow plenty of time to check-in at the airport.

Given the nature of the issue is unknown, when the website is back up it is worth checking your Executive Club account and any future bookings to confirm everything is in order.

If you are travelling today you can also check live flight information on the websites of GatwickHeathrow and London City airports.

Edit: The website appears to be up and running at 20:00 BST.