British Airways Suffers Massive Data Breach
British Airways has become the latest victim of a cyber-attack after revealing a major data breach involving the personal data of 380,000 customers.
The airline confirmed that over a two-week period, the personal and financial details of customers making or changing bookings had been compromised.
The breach took place between 21 August and 5 September, and within this time frame hackers were able to gain access to names, addresses, email addresses, credit card numbers, expiry dates and security codes. Travel and passport details are thought to be unaffected by the breach.
Customers who made bookings through ba.com or the airline’s app are being urged to contact banks and credit card providers to check for any fraudulent activity on their accounts.
BA chairman and chief executive, Alex Cruz, said the airline was “deeply sorry” for the disruption caused by the criminal activity and that the airline takes the protection of customer data very seriously.
He said the attackers had not broken the airline’s encryption system but were able to gain access through other sophisticated illicit ways.
British Airways is communicating with affected customers and advises any customers who believe they may have been affected by the incident to contact their banks or credit card providers and follow their recommended advice.
The breach represents the first major incident that has taken place since the GDPR has come into effect. The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection.
If the breach results in a high risk of affecting an individual’s rights and freedoms, then the individual must be notified with immediate effect.
The Information Commisioner’s Office (ICO) has confirmed that it has been notified of the BA breach and a spokesperson said they would be “making inquiries” but declined to comment further given the airline’s investigations were “at a very early stage”.
Under the current regulation, organisations in breach of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros (whichever is greater).
Customers affected by the breach are being advised to change their online passwords, monitor bank accounts and be wary of emails regarding the breach as criminals will often take advantage of newsworthy events to launch phishing scams.