British Airways apologises after 380,000 customers hit in cyber attack
British Airways has apologised after the credit card details of hundreds of thousands of its customers were stolen over a two-week period in an attack on its website and app.
The airline discovered on Wednesday that bookings made between 21 August 5 September had been infiltrated in a “very sophisticated, malicious criminal” attack, said BA chairman and chief executive Alex Cruz. It immediately contacted customers when the extent of the breach became clear.
Around 380,000 card payments were compromised, the airline said, with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.
The attack came 15 months after the carrier suffered a significant computer system failure at Heathrow airport, which stranded 75,000 customers over a holiday weekend.
Cruz said the carrier was “deeply sorry” for the disruption caused by the sophisticated crime, which was unprecedented in the more than 20 years that BA had operated online. He said the attackers had not broken the airline’s encryption but did not explain exactly how they had obtained the customer information.
“There were other methods, very sophisticated efforts, by criminals in obtaining the data,” he told BBC radio. “It was having access to our systems in an illicit way, it was very sophisticated.”
Shares in BA’s parent, International Airlines Group, fell 3% in early trading today. However, the company had been commended in its handling of the incident in light of the new General Data Protection Regulation (GDPR).
“BA’s reaction was very fast,” Ilia Kolochenko, chief executive of web security company High-Tech Bridge, told Computer Weekly. “The company’s transparency and frankness serve as a good example to other companies who are prone to minimising the consequences.”
However, violations can be punished with as much as 4% of a company’s annual sales, which for BA could reach about £489m based on 2017 figures. “This is one of the first big tests of GDPR,” Julian Saunders, founder of Port.im, a British software maker that helps businesses adapt to the rules, told Bloomberg. The question for regulators is “whether BA’s actions warrant a fine.”
A spokesperson for the Information Commissioner’s Office said: “British Airways has made us aware of an incident and we are making enquiries.”
BA informed customers affected by the attack yesterday, Cruz said. It advised them to contact their bank or credit card provider and follow their recommended advice. It also took out ads in national newspapers today.
Cruz said anyone who lost out financially would be compensated by the airline. “The moment we found out that actual customer data had been compromised that’s when we began an all-out immediate communication to our customers, that was the priority,” he said.
Data security expert Trevor Reschke said that like any website which sees large volumes of card transactions, British Airways was a ripe target for hackers. “It is now a race between British Airways and the criminal underground,” said Reschke, head of threat intelligence at Trusted Knight.
“One will be figuring out which cards have been compromised and alerting victims, whilst the other will be trying to abuse them while they are still fresh.”
IAG said the data breach had been resolved and the website was working normally, and that no travel or passport details were stolen. The airline had launched an investigation and notified police and other relevant authorities.
After the computer system failure in May 2017, BA said it would take steps to ensure such an incident never happened again, but in July it was forced to cancel and delay flights out of the same airport due to problems with a supplier’s IT systems.
On the cyber horizon: predictions for 2022
As 2021 draws to a close, we see a world still challenged by Covid-19, necessitating new business models, new channels and a shift (perhaps for the long term) to remote…
Jude McCorry: “Focus on cyber strategy alone is not enough”
The number of cyber attacks has been on the rise since the start of the pandemic, with both international and domestic cyber criminals taking advantage of our increased reliance on…
Not a drop wasted: digital cask filling can save the whisky industry millions
Scotland’s food and drink sector is central to the country’s economy. Bringing in around £14 billion every year, it employs more than 115,000 people and accounts for one in five manufacturing…
The value of engineering in the curriculum
If you were to look back at the greatest discoveries in science and technology over the past 30 years, you would soon notice that engineering is a key catalyst for…
Glasgow Council leads the way in digital learning
In 2017, we at Glasgow City Council took the opportunity to overhaul our digital approach to education and redefine learning, keeping in mind the core aim of reducing the impact…
Why data is the new oil
In 2006, British mathematician Clive Humby coined the phrase, “Data is the new oil”. This analogy has been proven correct as data now powers entire industries and holds tremendous value…
Global Entrepreneurship Week offers chance to reset aspirations amid new innovation landscape
With the advent of Global Entrepreneurship Week, it is an opportunity for us to celebrate the innovators, the grassroots risk takers who drive the economy, and those who invest in…
Aberdeenshire leads the way in work-based learning
There has long been debate about the distinction to be drawn between vocational and academic learning. However, in Aberdeenshire Council the focus is on what is best for our learners;…