The breach related specifically to payments made via the BA website and mobile app between 10.58pm on August 21 and 9.45pm on September 5.
Chief executive Alex Cruz described it as a “sophisticated, malicious, criminal attack”. Data stolen included names, addresses, email addresses, card numbers, expiry dates and CVV codes – the three of four-digit security code on the back of most cards.
While BA has declined to give a technical explanation, retailers are prohibited from storing CVV codes during transactions.
Cyber security analyst RiskIQ has therefore likened the attack to an online card skimming exercise, with the data compromised between the consumer and BA.
RiskIQ’s analysis of the BA website and app found 22 lines of “malicious” code implanted in BA’s systems before the attack, which presented as active on August 15.
However, unlike a similar attack on Ticketmaster earlier this year, the perpetrators accessed BA’s site directly and planned it around its “unique structure and functionality” rather than by compromising a third-party system.
Cruz said those responsible had access to BA’s systems “in an illicit way”. BA has also confirmed that while GDS bookings are unaffected, any payments made for additional products such as excess baggage through ba.com or the app could have been affected.
The National Crime Agency and Information Commissioner’s Office (ICO) are investigating.
BA could face a fine of up to £500 million under GDPR if the ICO takes enforcement action. The new data regulations mean the ICO can now fine companies up to 4% of their global turnover. Last year, BA’s total revenue was around £12.2 billion.
Separately, SPG Law said it is considering a £500 million group compensation action.
This is what the trade said of the situation:
Adrian Parkes, chief executive of the Guild of Travel Management Companies, said: “Data breaches of any kind are concerning, not only for customers at risk but on a wider scale for the travel industry in an increasingly digitalised world. These unfortunate incidents highlight the value of using a TMC to manage travel bookings for business of all sizes.
"Perhaps most at risk of such data breaches are SMEs who tend to book their own travel, however it’s essential they consider using a TMC for travel arrangements as their data will be handled securely and bookings will be protected.”
A spokesperson for the Advantage Travel Partnership said: “Most British Airways bookings our members make will have been via the GDS.
"There are occasions they go onto the BA site and use their own corporate cards if they find a better fare, but most will have policies in place that they have to adhere to.”
Jhy Worsnop-Hesford, industry consultant and former BA employee, said: "BA have incredible systems and procedures. They take data from any party seriously from the word go.
"I don't think it will damage BA's reputation. The way they've handled it so far has been very good. They've outlined the issues, fixed the issue and proposed to resolve any issues or losses customers may face. More importantly, they've not left anyone in the dark.
"I think the hack on BA clearly outlines the emerging threat all organisations, not only travel but other industries too, face in the future – and I think customers do understand this. It isn't the first hack on a large corporation, and I'm certain it won't be the last, unfortunately."
Greig Ewins, Stewart Travel homeworker, said: "I actually booked my own flights on ba.com during the period of the data theft. I was worried at the time but both BA and American Express have kept us up to date with information which has reassured me and my wife.
"It would not put me off BA as unfortunately this is the world we now live in and companies all over the world have the most up to date security systems but there will always be some that still get hacked. I've also not had any issues with customers."