British Airways apologised today after the credit card details of hundreds of thousands of its customers were stolen from its website and app.
Financial data has been stolen from potentially 400,000 British Airways customers, in what is described as one of the most serious ever to hit a UK company.
The “sophisticated, malicious criminal attack” on the airline’s website and smartphone is reported to have taken place over a two-week period.
Álex Cruz, Chief Executive of British Airways, apologised on Friday after it was revealed that about 380,000 payment cards had been compromised.
“The first thing to say is that I am extremely sorry for what happened,” Cruz said on the BBC Radio 4 Today programme.
“We will work with any customer affected and we will compensate any financial hardship suffered.”
The airline discovered that bookings made between August 21 and September 5 had been infiltrated by the hackers.
Reports suggest names, street and email addresses, credit card numbers, expiry dates and security codes were stolen.
Storing payment card CVV numbers is prohibited under international standards.
So since BA said the attackers also managed to obtain CVV numbers, security researchers have speculated that the card details were intercepted, rather than harvested from a BA database.
“We will be contacting affected customers directly to advise them of what has happened,” the airline said on its website.
Shares in the owner of BA, IAG, fell nearly 3% on Friday morning.
The British flag carrier could potentially face huge fines under new EU general data protection regulations.
Under GDPR, fines can be up to 4% of annual global revenue. BA’s total revenue in the year to 31 December 2017 was £12.226bn – which spells a potential fine of £489m.