The breach related specifically to payments made via the BA website and mobile app between 10.58pm on August 21 and 9.45pm on September 5.
Chief executive Alex Cruz described it as a “sophisticated, malicious, criminal attack”. Data stolen included names, addresses, email addresses, card numbers, expiry dates and CVV codes – the three of four-digit security code on the back of most cards.
While BA has declined to give a technical explanation, retailers are prohibited from storing CVV codes during transactions.
Cyber security analyst RiskIQ has therefore likened the attack to an online card skimming exercise, with the data compromised between the consumer and BA.
RiskIQ’s analysis of the BA website and app found 22 lines of “malicious” code implanted in BA’s systems before the attack, which presented as active on August 15.
However, unlike a similar attack on Ticketmaster earlier this year, the perpetrators accessed BA’s site directly and planned it around its “unique structure and functionality” rather than by compromising a third-party system.
Cruz said those responsible had access to BA’s systems “in an illicit way”. BA has also confirmed that while GDS bookings are unaffected, any payments made for additional products such as excess baggage through ba.com or the app could have been affected.
The National Crime Agency and Information Commissioner’s Office (ICO) are investigating.
BA could face a fine of up to £500 million under GDPR if the ICO takes enforcement action. The new data regulations mean the ICO can now fine companies up to 4% of their global turnover. Last year, BA’s total revenue was around £12.2 billion.
Separately, SPG Law said it is considering a £500 million group compensation action.
This is what the trade said of the situation:
