British Airways owner IAG has said that 185,000 further customers may have had their personal details compromised during a cyber attack.
The group said in a stock exchange announcement that as part of an investigation into a cyber attack that took place earlier this year, it is contacting two groups of customers not previously notified.
This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information – including card number, expiry date and card verification value – have potentially been compromised.
A further 108,000 people’s personal details without card verification value have also been compromised.
Last month the airline said it was “deeply sorry” after the online theft of customer data that “compromised” around 380,000 payment cards and vowed to compensate those financially affected.
BA faces a possible fine of around £500 million over the breach, with regulators now investigating the incident.
The data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4% of global turnover, whichever is greater.
In the year ended December 31 2017, BA’s total revenue was £12.2 billion, meaning the company could face a fine of around £500 million if the Information Commissioner’s Office (ICO) takes action.