British Airways has apologised and pledged compensation after admitting that up to 380,000 of its customers could have had their card details stolen.
The airline said that its systems had been compromised for more than two weeks, with ‘the personal and financial details of customers making bookings on our website and app’ potentially stolen by hackers between 21 August and 5 September.
Crucially, this seems to have included the three-digit CVV number on the back of payment cards. Security experts have suggested that this means the data was intercepted by attackers as customers typed in their card details, rather than stolen directly from the airline, as firms don’t store CVV numbers.
It’s too early to say how that happened, but BA chief executive Alex Cruz said: ‘We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.’
BA said that no other details, such as travel plans or passport numbers, had been stolen in the breach.
BA didn’t exactly wow in our recent survey. See how members rated their experiences with our best and worst airlines.
BA data breach: what should you do?
If you’ve been affected by the breach, BA will have emailed you. The airline has advised that customers whose payment details have been stolen should let their bank know immediately. That way, your bank can watch out for unusual transactions on your account and, if necessary, replace the card.
You should also keep a close eye on your account and let your bank know immediately if you spot any rogue transactions.
It’s not clear if login and passwords were also compromised, but it’s a good idea to change your password if you’re one of the people affected. And if you use the same password anywhere else, change it there, too.
Beware of phishing scams
You should also look out for scammers trying to capitalise on the breach: hackers often mount phishing attacks in the aftermath of a big hack. Watch out for emails or SMS texts claiming to come from BA or your bank wanting you to sign in ‘to protect your account’ and check that the website is genuine before you go ahead and log in.
Read more about your rights if your data has been lost.
BA said the breach has been resolved, and that it had notified the police and the Information Commissioner’s Office (ICO), which is the UK’s data protection regulator.
Chief executive Alex Cruz promised on Friday morning to compensate any of its customers who lost money as a result of the breach. He told the BBC’s Today programme: ‘We will work with any customer affected and we will compensate any financial hardship suffered.’ He added that he was ‘extremely sorry for what happened’.