British Airways on Friday said it was “deeply sorry” after the online theft of customer data that “compromised” around 380,000 payment cards and vowed to compensate those financially affected.
Alex Cruz, British Airways’ chairman and chief executive, said in a statement: “We are deeply sorry for the disruption that this criminal activity has caused.
“We take the protection of our customers’ data very seriously.”
The airline said the personal and financial details of customers who made bookings on its website or app from 10.58pm on August 21 until 9.45pm on September 5 had been compromised and that police were now investigating.
Cruz, speaking on BBC Radio 4′s Today on Friday said that cyber criminals had obtained enough credit card information to be able to use them in what was a “very sophisticated malicious criminal attack”.
He said BA was “100% committed” to compensating customers who were financially affected.
“We know that the information that has been stolen is name, address, email address, credit card information; that would be credit card number, expiration date and the three-letter code in the back of the credit card,” Cruz said.
“No itinerary information, no frequent flier data, no passport data has been compromised.”
He defended the speed at which customers were notified about the breach, telling the BBC: “The moment we found out that actual customer details had been compromised, that is when we began an all-out immediate communication to our customers, that was the priority.”
Downing Street said the National Cyber Security Centre and the National Crime Agency was “working to better understand what has happened”.
A No 10 spokeswoman said: “We are aware of the reports and we are working to better understand the incident and how it affected customers.”
BA faces a possible fine of around £500 million over the breach, with regulators now investigating the incident.
The data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4% of global turnover, whichever is greater.
In the year ended December 31 2017, BA’s total revenue was £12.2 billion, meaning the company could face a fine of around £500 million if the Information Commissioner’s Office (ICO) takes action.
The airline has urged customers affected to contact their banks or credit card providers.
BA said the stolen data did not include travel or passport details, adding that it was investigating the security breach as a matter of urgency.
Alex Cruz, chairman and chief executive of the airline, said it was “deeply sorry for the disruption that this criminal activity has caused”.
A statement said: “British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.
“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.
“The breach has been resolved and our website is working normally.
“British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.
“We have notified the police and relevant authorities.”
The company said the breach had been resolved and the website was now working normally.
It added it is communicating with affected customers and advised anyone who believed they may have been affected to contact their banks or credit card providers.