British Airways announced last night that it is investigating the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details, the airline confirmed.
From 22:58 BST August 21, 2018 until 21:45 BST September 5, 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised, the airline said in a statement. BA has confirmed that the breach has been resolved and its website is now working normally.
British Airways says that it is “communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.”
Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
“GDPR has placed us in a world where disclosure of data breaches are likely to occur before the full details of the attack are known,” says Jim Mackey, technical evangelist at Synopsys. “On the positive side, companies are highly incented to improve the level of security monitoring they perform. While to the travelling public, a two week window under which the attack wasn’t properly identified as such is alarming, the reality is that absent regulations like GDPR such incidents could go undisclosed for significantly longer. It is my hope that while we see an increase in disclosures in the near term, as organisations improve their software and system security measures a marked decline in successful attacks will ensue.”
Israel Barak, Chief Information Security Officer at Cybereason, added: “The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone. Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
