Hello! You are viewing your 1 free guest article this week

Please log in or join now for free, immediate and unlimited access to our award-winning online content. Find out more...

Join us
Already a member? Log in here

Travel industry news

07 Sep 2018

BY James Chapple


British Airways: Full extent of customer payment data hack revealed

The boss of British Airways has confirmed payment data stolen from its website and mobile app included enough bank card and personal details for criminals to access BA customers’ money.

british airways 21686643714896

Full extent of British Airways customer payment data hack revealed

British Airways payment data theft included card numbers, expiry dates and CVC codes

Speaking to Radio 4’s Today Show on Friday, BA chief executive Alex Cruz elaborated on what he described as a “sophisticated, malicious, criminal attack” on the airline’s payment systems.

The airline on Thursday evening confirmed data relating to around 380,000 ba.com and mobile app transactions made between 11pm on August 21 and 10pm on September 5 had been compromised.

Cruz though admitted the airline first knew about the attack on Wednesday.


MORE: British Airways urgently investigating theft of customer payment data

“We have a network of partners monitoring continuously what happens to websites across the world,” he said. “We got a signal from one of those partners. It took us a number of hours to go through it.

“The moment we found out actual customer data had been compromised, we began an all out, immediate communication to our customers. That was our priority. We are extremely sorry for what has happened - we know it is causing concern to some of our customers, especially those that booked by ba.com and our app.”

Cruz confirmed names, addresses, email addresses, card numbers, expiry dates and three-digit CVC codes had been stolen.

When asked if enough information had been stolen for these cards to be used, Cruz answered simply: “Correct.”

He added though that no itinerary information, frequent flyer data or passport data has been compromised.

Cruz said BA was “100% committed” to compensating anyone whose card is used illegally following the breach.

“We are going to work with any customer who may have been financially affected as a direct result of this attack,” he said. “We will compensate them for any financial hardship they suffer.”


Cruz: 'They had access in an illicit way'

Cruz: 'They had access in an illicit way'

When pressed on how the culprits managed to access BA’s systems, Cruz declined to give a more complex, technical answer but denied it was a breach of its data encryption measures.

“All our data is encrypted,” he said. “Credit card data is encrypted. There were other methods - very sophisticated efforts by criminals - to get that data.

“They had access to our systems in an illicit way. They managed to access that data. We need to find out exactly how it happened.”

Cruz said ba.com had never suffered a breach “of this type” in 20 years operation: “We are fully committed to the data integrity of our customers,” he said.

“We are going to find out what has gone on. What we are interested in at the moment is [looking] after our customers. We know they must be feeling concerned and upset at this time.

“Last night [Thursday], we began to issue emails in the late afternoon, early evening. A very small number of emails went out with no text and we resent them a few minutes later.

“The first thing we actually did was begin to contact customers by phone. We went out to [the] media and we went through all our social media channels - all possible channels we could.

“We did this absolutely as soon as we could. There was no other priority in British Airways at that time. We are satisfied all [those affected] have been contacted as of last night.”

BA on Friday placed adverts in a number of major newspapers to apologise for the hack.

Cruz confirmed the police, National Crime Agency and Information Commissioners’ Office had been notified and were involved in the investigation.

Add New Comment
Please sign in to comment.
Show me more

Follow Us

TTG Media Limited.
Place of registration: England and Wales.
Company number 08723341.
Registered address: New Bridge Street House, 30-34 New Bridge Street, London EC4V 6BJ
Scroll To Top