The boss of British Airways has confirmed payment data stolen from its website and mobile app included enough bank card and personal details for criminals to access BA customers’ money.
Speaking to Radio 4’s Today Show on Friday, BA chief executive Alex Cruz elaborated on what he described as a “sophisticated, malicious, criminal attack” on the airline’s payment systems.
The airline on Thursday evening confirmed data relating to around 380,000 ba.com and mobile app transactions made between 11pm on August 21 and 10pm on September 5 had been compromised.
Cruz though admitted the airline first knew about the attack on Wednesday.
“We have a network of partners monitoring continuously what happens to websites across the world,” he said. “We got a signal from one of those partners. It took us a number of hours to go through it.
“The moment we found out actual customer data had been compromised, we began an all out, immediate communication to our customers. That was our priority. We are extremely sorry for what has happened - we know it is causing concern to some of our customers, especially those that booked by ba.com and our app.”
Cruz confirmed names, addresses, email addresses, card numbers, expiry dates and three-digit CVC codes had been stolen.
When asked if enough information had been stolen for these cards to be used, Cruz answered simply: “Correct.”
He added though that no itinerary information, frequent flyer data or passport data has been compromised.
Cruz said BA was “100% committed” to compensating anyone whose card is used illegally following the breach.
“We are going to work with any customer who may have been financially affected as a direct result of this attack,” he said. “We will compensate them for any financial hardship they suffer.”
When pressed on how the culprits managed to access BA’s systems, Cruz declined to give a more complex, technical answer but denied it was a breach of its data encryption measures.
“All our data is encrypted,” he said. “Credit card data is encrypted. There were other methods - very sophisticated efforts by criminals - to get that data.
“They had access to our systems in an illicit way. They managed to access that data. We need to find out exactly how it happened.”
Cruz said ba.com had never suffered a breach “of this type” in 20 years operation: “We are fully committed to the data integrity of our customers,” he said.
“We are going to find out what has gone on. What we are interested in at the moment is [looking] after our customers. We know they must be feeling concerned and upset at this time.
“Last night [Thursday], we began to issue emails in the late afternoon, early evening. A very small number of emails went out with no text and we resent them a few minutes later.
“The first thing we actually did was begin to contact customers by phone. We went out to [the] media and we went through all our social media channels - all possible channels we could.
“We did this absolutely as soon as we could. There was no other priority in British Airways at that time. We are satisfied all [those affected] have been contacted as of last night.”
BA on Friday placed adverts in a number of major newspapers to apologise for the hack.
Cruz confirmed the police, National Crime Agency and Information Commissioners’ Office had been notified and were involved in the investigation.