September 7th 2018
British Airways Chief Executive, Álex Cruz, has apologised for the breach in which it is thought that approximately 380,000 payment cards have been compromised after a data theft from its website and app.
The protracted breach – involving personal and financial details of customers making bookings – occurred over a two-week period from 10.58pm BST on August 21st to 9.45pm on September 5th.
Speaking on BBC Radio 4’s Today programme, Cruz said: “The first thing to say is that I am extremely sorry for what happened. We will work with any customer affected and we will compensate any financial hardship suffered.”
Saying that it was a “sophisticated” campaign by cybercriminals, not a breach of the airline’s encryption, Cruz was not prepared to go into any further detail whilst a police investigation is taking place.
He added that a partner had alerted BA to the attack on September 5th and an investigation was launched immediately: “The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
The breach is being investigated by the Information Commissioner’s Office (ICO) and a heavy fine could be levied under the strict GDPR rules introduced in May. In the meantime, BA’s parent IAG suffered a 3% fall in share value as a result of the problem.
Last year BA experienced a catastrophic IT failure leaving tens of thousands of passengers stranded and global flight interruptions, which it claimed was a result of a power surge in its control centre.
The airline has published the following FAQs on its website
How do I know if I have been affected?
This relates to customer bookings made or changed between 22:58 BST August 21 2018 and 21:45 September 5 2018 inclusive. We will be contacting affected customers directly to advise them of what has happened and are advising them to contact their banks or credit card providers and follow their recommended advice.
Will there be any compensation?
Every customer affected will be fully reimbursed and we will pay for a credit checking service. We take the protection of our customers’ data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis.
What data has been lost?
The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised. No passport or travel details were stolen.
How do I reset my ba.com password?
Click the Forgotten Pin/Password link on the top right-hand corner of the ba.com homepage.
We recommend you choose a unique password that you do not use for any other online account.
Should I call my bank or cancel my credit cards?
We recommend you contact your bank and follow their recommended advice.
What shall I do if I am due to travel today?
The incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal.
Will I still be able to check in?
Yes, all customers booked on our flights will be able to check in as normal.
Will this affect any future bookings?
The incident has been resolved and ba.com is working normally so future bookings will not be affected.
Does this affect Executive Club accounts in any way? ie missing Avios/Tier Points
Executive Club accounts were not affected.