LONDON • British Airways (BA) was forced to apologise yesterday after the credit card details of hundreds of thousands of its customers were stolen over a two-week period in the worst-ever attack on its website and app.
The airline discovered on Wednesday that bookings made between Aug 21 and Sept 5 had been infiltrated in a "very sophisticated, malicious criminal" attack, BA chairman and chief executive Alex Cruz said. It immediately contacted customers when the extent of the breach became clear.
Around 380,000 card payments were compromised, the airline said, with hackers obtaining names, street and e-mail addresses, as well as credit card numbers, expiry dates and security codes - sufficient information to steal from accounts.
The attack came 15 months after the carrier suffered a massive computer system failure at London's Heathrow Airport, which left 75,000 customers stranded over a holiday weekend.
Mr Cruz said the carrier was "deeply sorry" for the disruption caused by the sophisticated crime, which was unprecedented in the more than 20 years that BA had operated online.
He said the attackers had not broken the airline's encryption but did not explain exactly how they had obtained the customer information. "There were other methods, very sophisticated efforts, by criminals in obtaining the data," he told BBC Radio. "It was having access to our systems in an illicit way, it was very sophisticated."
British Airways informed customers affected by the attack on Thursday, Mr Cruz said. It advised them to contact their bank or credit card provider and follow their recommended advice. It also took out ads in national newspapers yesterday.
Mr Cruz said that anyone who lost out financially would be compensated by the airline.
"The moment we found out that actual customer data had been compromised, that is when we began an all-out immediate communication to our customers, that was the priority," he said.
Prime Minister Theresa May's spokesman said yesterday that the government was aware of a cyber attack affecting BA customers, and the authorities were working to better understand the incident.
Britain's National Crime Agency said it was assessing the matter, while its data protection watchdog, the Information Commissioner's Office, will make its own inquiries.
Data security expert Trevor Reschke said that like any website which sees large volumes of card transactions, British Airways was a ripe target for hackers.
"It is now a race between British Airways and the criminal underground," said Mr Reschke, head of threat intelligence at Trusted Knight. "One will be figuring out which cards have been compromised and alerting victims, while the other will be trying to abuse them while they are still fresh."
International Airlines Group (IAG), which owns BA, said the data breach had been resolved and the website was working normally, and that no travel or passport details were stolen.
Other companies have been hit by data breaches in the past. In 2014, hackers stole information on more than 500 million Yahoo accounts. Last year, hackers behind the WannaCry ransomware attack that crippled hospitals, banks and other companies across the globe encrypted data and demanded ransom payments in bitcoins.
The NotPetya ransomware attack last year began in Ukraine, before spreading through corporate networks of multinationals.
One of the victims - shipping giant Maersk - reportedly had to spend as much as US$300 million (S$413 million) replacing 45,000 PCs and 4,000 servers.
REUTERS, AGENCE FRANCE-PRESSE