British Airways hit with customer data theft

UK flag carrier says it is investigating the theft of customer data from its website and mobile app.
Written by Chris Duckett, Contributor

British Airways has notified the police after the theft of customer data from its website and mobile app.

The airline said the personal and financial details of customers who made bookings on its website or app from 10.58pm local time on August 21 until 9.45pm on September 5 had been compromised.

Around 380,000 payment cards were compromised.

BA said the stolen data did not include travel or passport details, adding that it was investigating the security breach as a matter of urgency.

The company said the breach had been resolved and the website was now working normally.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," British Airways' chairman and chief executive Alex Cruz said.

The company said it is communicating with affected customers and advised anyone who believed they may have been affected to contact their banks or credit card providers.

"We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action," the UK National Crime Agency said.

In June, British electronics retailer Dixons Carphone was hit by a massive data breach, with inital figures stating attackers accessed 5.9 million customer payment-card details and a further 1.2 million records containing personal information.

It was later revealed that 10 million customers had their personal details accessed.

That same month, Akamai researchers found nearly 40 percent of traffic on hotel and travel sites was deemed to be "impersonators of known browsers".

Analysis of malicious login attempts by country against the hotel and travel industry by researchers at Akamai found that between November 2017 and March 2018, 650 million attacks came from Russia and 625 million came from China.

"By their nature, companies in the hospitality sector often hosts a lot of personal information," Bernd Konig, director of security products at Akamai Technologies, told ZDNet at the time.

"For example, hotels have everything from guest credit card data through to identity documentation that guests might be required under local laws to provide at check in. This is exactly the kind of personal and payment data that would be considered valuable to hackers".

Meanwhile in America, a site for booking European train tickets, Rail Europe, revealed a three-month long data breach of payment information in May.

The company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018, and the attackers made off with a trove of data including credit card numbers, expiration dates, card verification codes, usernames, passwords, name, gender, physical and email addresses, and phone numbers.

With AAP

Related Coverage

Chinese police investigating major security breach of hotel group

Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.

Russia 'front of the queue' when it comes to hacking, says security minister

UK could use cyber attacks to disrupt Russian spy networks.

Wireshark fixes serious security flaws that can crash systems through DoS

Proof-of-concept code detailing related exploits has been released to the public.

How to improve security without treating your users like criminals (TechRepublic)

Strong security controls will protect your organization, but they may also hinder or annoy users. Here's how to walk the line between security and user accessibility.

New security certification could make it easier for businesses to get started with IoT (TechRepublic)

CTIA Cybersecurity Certification Program is the first to partner with nationwide wireless providers to improve the security of cellular-connected IoT devices.

(Image: Reuters)
Editorial standards