Thousands of British Airways customers could be at risk of fraud after their personal data and credit card details were stolen in a sophisticated hack.
The airline confirmed that cyber criminals had intercepted 380,000 transactions during the last fortnight, as experts warned affected customers to be vigilant to targeted emails and calls.
The breach occurred between 21 August and 5 September and compromised card numbers, expiration dates and CVV security codes. It is illegal for businesses to store CVV numbers and BA insisted it had not done so, suggesting hackers were able to intercept payments in real-time.
Researchers have estimated that the stolen data could be worth up to £21.5m on the dark web. Top10VPN.com’s Dark Web Market Price Index shows that criminals are prepared to pay up to £56.50 per card.
Customers’ names and email addresses were also exposed during the breach, and the National Cyber Security Centre has urged affected customers to be wary of suspicious phone calls and targeted emails.
In an interview with the BBC on Friday morning (7 Sept), chief executive Alex Cruz described the attack as sophisticated and malicious. The airline has pledged to fully reimburse customers and pay for a credit checking service.
“We’re extremely sorry,” Cruz told the Today Programme. “I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.”
“We discovered that something had happened but we didn’t know what it was [on Wednesday evening],” he added. “So overnight, teams were trying to figure out the extent of the attack.”
The airline is now reaching out to customers who have been affected by the breach.
Since sweeping new European data protection rules came into force in May, companies that fall victim to data breaches have been liable to fines of up to four per cent of their annual global turnover. BA’s revenue for 2017 amounted to more than £12bn.
Simon Edwards, a cyber investigator at Trend Micro, suggested that the breach proved that the General Data Protection Act (GDPR) is working: “BA has reported the breach quickly and in a highly professional manner.”
The Information Commissioner’s Office said it was investigating the incident.