British Airways: Cyberattack, data theft bigger than we first thought

185,000 customers in addition to original estimates may have had their data, including credit card information, exposed.
Written by Charlie Osborne, Contributing Writer

British Airways has revealed that the massive data breach which struck hundreds of thousands of customers is bigger than first believed.

On Thursday, the UK carrier said that a further 185,000 customers may have had their information stolen during the data breach.

In total, the threat actors behind the attack potentially gained access to an additional 77,000 payment card records containing names, billing addresses, email addresses, payment information -- including card numbers and expiry dates -- and the CVV numbers linked to each card.

CNET: Facebook hit with $645,000 fine in UK over Cambridge Analytica scandal

A further 108,000 payment card records were potentially compromised but did not contain an accompanying CVV security number.

According to British Airways, those who used a credit card to make reward bookings between April 21 and July 28 this year have potentially become victims of the cyberattack.

The airline has, however, revised the original estimate of 380,000 payment card records being exposed, as announced in early September. BA now believes that in total, 244,000 card records were affected.

Passport or travel details are not thought to be involved in the potential data leak.

The cyberattack is believed to be the work of Magecart, a financially-motivated threat group which has been active since at least 2015.

TechRepublic: Facebook data privacy scandal: A cheat sheet

Magecart's modus operandi involves injecting card-skimming scripts into vulnerable e-commerce domains for the purpose of payment card information theft and personal information belonging to shoppers.

Other recent victims include Ticketmaster, Newegg, Feedify, and broadcaster ABS-CBN.

Read on: Magecart group leverages zero-days in 20 Magento extensions

The latest wave of customers involved are being informed and if the carrier has not been in contact by 5pm on Friday 26 October, they do not need to take further action.

British Airways says there have been no reported cases of fraud, but as CVV numbers may have been leaked, customers should consider keeping an eye on their bank statements and credit reports.

In the latter case, the airline is willing to assist.

"We are very sorry that this criminal activity has occurred," the company said. "As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating."

See also: Apple blocks GrayKey police tech in iOS update

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards