Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

BA Scrambles to Address Theft of Passenger Bank Details

British Airways will financially compensate customers whose data were stolen in a “sophisticated” and “malicious” hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.

British Airways will financially compensate customers whose data were stolen in a “sophisticated” and “malicious” hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.

BA late Thursday revealed that personal and financial details of customers who booked flights on the group’s website and mobile phone app between August 21 and Wednesday had been stolen.

The revelation comes just a few months after the European Union tightened data protection laws.

“We’re extremely sorry for what has happened,” Cruz told the BBC on Friday.

“There was a very sophisticated, malicious, criminal attack on our website.”

BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.

“We are 100 percent committed to compensate them,” Cruz said.

“We will compensate them for any financial hardship that they may have suffered,” he told the broadcaster.

BA said it had launched an urgent investigation after realising that about 380,000 bank cards used to book its flights had been hacked.

The stolen data comprised customer names, postal addresses, email addresses and credit card information. 

However the 15-day breach did not involve travel or passport details and has been fixed, the airline added.

 – Regulators investigate – 

“The moment we found out (Wednesday) that actual customer data had been compromised, that’s when we began an all out immediate communication to our customers. That was our priority,” Cruz said.

However Enza Iannopollo, privacy and security analyst at advisory group Forrester, said BA could have done better on informing those affected.

“If the timeline is confirmed and BA became aware of the breach on the evening of September 5th, then they have done their breach notification on time, which is of course a good thing,” she said in a statement. 

“However, customers are obviously not impressed about BA breach management at present. Some discovered it on social media, others reported wasting hours on the phone with their bank, everyone expects more from a company that truly cares about its customers.”

“Terrible handling of the situation,” tweeted one affected customer, Mat Thomas. 

Iannopollo told AFP that it was too early to know whether BA would be fined over the affair.

“Regulators will assess the circumstances of this breach consistently with GDPR requirements,” she said referring to the EU’s General Data Protection Regulation that came into force in May.

Britain’s National Crime Agency said it was assessing the matter, while the UK’s data protection watchdog, the Information Commissioner’s Office, will make its own enquiries.

“The ICO will do its assessment and investigation to determine whether to levy a fine or impose any enforcement action, but this will take some time and it might be that the regulator determines that rules were not breached,” Iannopollo said.

About 1100 GMT, shares in IAG, which runs also Spanish carriers Iberia and Vueling as well as Irish airline Aer Lingus, were down 3.5 percent at 657.60 pence on London’s benchmark FTSE 100 index, down 0.8 percent overall.

“Today’s news is a reminder of just what a hot issue cyber security remains and the importance of companies having the right protections in place to mitigate the risk posed by attacks,” noted Russ Mould, investment director at AJ Bell.

Written By

AFP 2023

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.