The bank card details of almost 400,000 British Airways customers have been stolen in one of the most serious cyber attacks to hit a UK history.
Shockingly, the breach began 16 days ago, but was not detected by the airline until Wednesday night.
It affects all 380,000 customers who booked flights online or via the BA app during that time using a debit or credit card.
BA has insisted it had told customers about the security breach as soon as it could and it had now called in the police.
But the cyber failure is a blow to the airline’s once-renowned reputation for customer service with some victims vowing never to use them again.
BA chief executive Alex Cruz said: ‘We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.’
The stolen data did not include passport details but did include ‘personal information, the airline said.
British Airways passengers may have had their personal and financial information compromised- if they booked between August 21 and September 5
British Airways customers have vented their fury at BA, especially about how long it took them to notice
The company said: ‘The breach has been resolved and our website is working normally.
‘British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.
‘We have notified the police and relevant authorities.’
Advice is currently being given to those who may have been affected, including resetting passwords on the BA website.
The airline said it will contact people who it believes may have had their data collected by the criminals.
Compensation claims will be discussed on a ‘individual basis’ the firm said.
British Airways has admitted hackers spent more than two weeks accessing data online resulting in a risk to passengers
Alex Cruz, British Airways’ chairman and chief executive, said in a statement: ‘We are deeply sorry for the disruption that this criminal activity has caused.
‘We take the protection of our customers’ data very seriously.’
The airline said it was investigating the breach as a ‘matter of urgency’ and had reported it to the police and other ‘relevant authorities’. The National Crime Agency has been brought in.
Just last month, British Airways owner International Consolidated Airlines Group said profits had hit £989 million for the first half of the year. BA raked in £780 million of that sum.
The breach was revealed at 6.27pm yesterday, after the stockmarkets had closed.
A spokesman confirmed that the airline had discovered the breach on Wednesday evening, but needed time to investigate the matter and assess which customers were affected.
The data breach affects all customers who booked flights online or used the BA.com app from 10.58pm on August 21 to 9.45pm on September 5.
BA said it had received no reports from customers who had had money fraudulently taken out of their account. It added that the breach had been ‘resolved’ and the website was ‘working normally’. The airline has taken out full-page advertisements in today’s newspapers, including the Daily Mail, apologising to customers.
What to do if you have been affected by the British Airways data theft
If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice. Please check back here for further updates, we will be updating this page.
How do I know if I have been affected?
This relates to customer bookings made from 22:58 BST August 21 2018 to 21:45 September 5 2018 inclusive. We will be contacting affected customers directly to advise them of what has happened and are advising them to contact their banks or credit card providers and follow their recommended advice.
Will there be any compensation?
We take the protection of our customers’ data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis.
What data has been lost?
The personal and financial details of customers making bookings on ba.com and the airline’s mobile app were compromised. No passport or travel details were stolen.
Should I call my bank or cancel my credit cards?
We recommend you contact your bank and follow their recommended advice.
What shall I do if I am due to travel today?
The incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal.
Will I still be able to check in?
Yes, all customers booked on our flights will be able to check in as normal.
Will this affect any future bookings?
The incident has been resolved and ba.com is working normally so future bookings will not be affected.
Everyone affected by the breach was urged to contact their bank or credit card company as soon as possible.
The leak is significant because the scale of the payment information accessed by the hackers is almost without precedent in the UK. Telecoms firm TalkTalk was handed a record £400,000 fine by the Information Commissioner’s Office (ICO) in 2016 when data from 156,959 customers was leaked the previous year, but financial information from just 15,656 was accessed.
The airline has taken out full-page advertisements in today’s newspapers (pictured), including the Daily Mail, apologising to customers for the breach
Banks are legally obliged to refund customers who have had money fraudulently taken from their account, but the hack raises fears that BA customers’ details will be sold on the ‘dark web’ to fraudsters intent on hacking their accounts.
Britain’s flagship carrier has suffered a series of knocks to its reputation for customer service.
An IT shutdown last summer grounded flights and resulted in tens of thousands of passengers being stranded across the world. In July this year BA apologised after computer issues caused dozens of flights in and out of Heathrow to be cancelled.
The month before, more than 2,000 BA passengers had their tickets cancelled because the prices were too cheap.
Customers took to social media to criticise the airline last night – with many hitting out at BA for failing to contact them directly about the data breach.
One customer said on Twitter: ‘Idiots. So as an executive club member they have my card details, my passport, tel, email etc. All because you outsource IT to joke places to save money.’
Alex Neill of Which? said: ‘It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take.
‘Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach.’
The BA Twitter account has been bombarded with complaints about the way they have handled the crisis
British Airways joined a growing list of companies whose customers had had their details stolen.
In July, Dixons Carphone admitted a huge data theft.
Initially, the company said 5.9 million customer bank card details and 1.2 million personal data records had been hacked in 2017 and went unnoticed.
Later, the company backtracked on its original figures and amended the total of customer records that had been accessed to a staggering 10 million.
Access was also gained to non-financial personal data, such as addresses, names and email information.
The major data breach involved shoppers at Currys PC World and Dixons Travel but bosses insist there is no sign of any related fraud.
** Have you been affected? Please email: [email protected] **