British Airways reveals hack is worse than originally thought
Through an internal investigation, British Airways has discovered that from their hack in late September 2018, more passengers’ data has been compromised than originally suspected.
Since their announcement in September 2018 concerning the breach of passengers’ personal data, British Airways (BA) has announced that the hack, that compromised nearly 400,000 individuals details, was larger, and affected more people, than was originally thought.
In a statement they issued, they said: “British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.”
However, the investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between 21st April and 28th July 2018, and who used a payment card.
This additional data throws into question the way in which security is used within the industry to protect passengers’ personal information. Following the breach revealed by Cathay Pacific on the 24th October, the IT and security of the aviation industry has never been under more scrutiny. At International Airport Review’s IT & Security conference in December we will be asking how these hacks were able to happen, and what we can do to mitigate the effects.
In the statement, BA continued: “While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26th October at 17:00 GMT do not need to take any action. In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.”
They concluded: “We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.”
But is this enough?