Category: British Airways Website & Mobile Apps

London Air Travel » British Airways » British Airways Website & Mobile Apps

British Airways has today, Thursday 25 October 2018, issued a statement on the progress of its investigation in to the theft of customer data from its website.

The airline first advised in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of nearly two weeks between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 had their personal and financial details compromised.

The airline has now advised that more customers may have had their personal financial details compromised and is in the process of contacting affected customers.

This include customers making reward bookings between Saturday 21 April 2018 and Saturday 28 July 2018.

Affected customers will be notified by Friday 26 October 2018.

BA Statement Thursday 25 October 2018

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.

In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.

We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.

Information Commissioner’s Office Statement

In response to today’s statement the Information Commissioner’s Office has advised:

“The ICO’s investigation into a cyber attack at British Airways is ongoing. Meanwhile, we advise people who may have been affected to be vigilant when checking their financial records and to follow the advice on the ICO, National Cyber Security Centre and Action Fraud websites about how they can protect themselves and their data online.

Update: Friday 26 October 2018

Willie Walsh, CEO of BA’s parent company International Airlines Group, spoke briefly about the matter when it released its 3rd quarter financial results on Friday 26 October 2018.

Two cyber security firms have carried out a forensic investigation on the cyber attack. IAG has also been working with the National Cyber Security Centre, which is part of GCHQ, and the National Crime Agency. The identity of the individual or organisation that carried out the cyber attack is not known.

However, IAG knows that it was a single attacker doing different things over a period of time. IAG considers that it understands exactly how the attacker secured access to BA’s systems, what the attacker did, and when, and what data was viewed.

Whilst there is evidence that customer data was viewed, there is no evidence to indicate that customer data was actually extracted from BA’s systems. It appears that it was not the billing and payment systems that were specifically compromised.

IAG did not give any more detail as a criminal investigation is underway but will give a more detailed explanation about what happened when it is able to do so.

London Air Travel » British Airways » British Airways Website & Mobile Apps

British Airways has announced that its website ba.com and mobile app has been subject to a data breach.

The airline issued a statement in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of nearly two weeks between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 have had their personal and financial details compromised.

BA has stated that it is contacting affected customers who are advised to contact their banks and credit card companies for appropriate advice. The full statement is as follows:

British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.

From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.

The breach has been resolved and our website is working normally.
 
British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice. 

We have notified the police and relevant authorities.

Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
 
British Airways will provide further updates when appropriate.

BA has also published guidance for affected customers on its website ba.com

It is noteworthy that BA’s parent company International Airlines Group has issued the above statement to the stock exchange so this is clearly a significant and share price sensitive event.

BA is required by law to notify the Information Commissioner’s Office with 72 hours of becoming aware of the breach. The ICO has the power to levy very substantial fines in the event of a failure to properly report a breach.

Update Friday 7 September 2018

BA has updated its published guidance on the morning of Friday 7 September to advise that the breach also affects any passengers who made changes to existing bookings during the period of the breach.

The scope of changes (eg free or paid for seat assignments etc) is not defined but this means the breach could affect very many more passengers.

BA has also confirmed that it will fully reimburse passengers for any financial losses as a direct consequence of the security breach. It will also not ask customers to review/update payment card details and any unsolicited requests for this information should not be fulfilled.

The Information Commissioner’s Office has issued a short statement confirming contact with BA:

“British Airways has made us aware of an incident and we are making enquiries.”

National Cyber Security Centre Response

The UK Government’s National Cyber Security Centre, part of GCHQ, has published guidance for affected customers.

American Express Response

American Express, which issues a number of BA branded credit cards has provided the following response to customers by e-mail:

Dear Cardmember,

I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.

We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.

There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.

If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.

Thank you for your continued Cardmembership.