BA has been contacting customers after revealing a two-week raid on passengers’ personal and financial details which was finally spotted on Wednesday.
The UK carrier has taken out adverts in Friday’s newspapers apologizing for the breach, but details remain scant.
It claimed the stolen details did not contain “travel or passport details” but those affected are being urged to contact their bank as card details were taken. Reports suggest 380,000 transactions made over a 16-day period were affected.
“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making or changing bookings on our website and app were compromised,” a note on the BA site said. “The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.”
Although BA CEO, Alex Cruz, has been playing up the sophistication of the attack, nothing is yet known about how the hackers compromised the firm’s website and app. However, BA itself did not discover the incident — instead it had to be told by a partner on Wednesday, according to reports.
Experts urged affected customers to contact their bank immediately to cancel cards and change their BA.com passwords.
Eset security specialist, Jake Moore, warned of possible follow-on phishing attacks.
"After a large-scale incident like this, fraudsters from around the world will inevitably jump at the chance to try and catch a few unsuspecting people out,” he said.
“If you receive any emails purporting to be from this incident or such like mentioning it asking for any personal information or to click on unverified links, discard them.”
Others praised BA’s incident response.
"BA's reaction is very fast. The company's transparency and frankness serve as a good example to other companies who are prone to minimizing the consequences,” said High-Tech Bridge CEO, Ilia Kolochenko. “It is, however, too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins.”
The breach represents the first major incident that actually took place after the GDPR came into effect, so the industry will be keenly awaiting further details as they emerge.