British Airways hack is worse than originally thought

An additional 185,000 customer payment cards were compromised.

British Airways hack is worse than originally thought

Last month, British Airways announced that the customer data and details of some 380,000 card payments had been stolen from its network by hackers between August 21 and September 5 2018.

Now, in an update posted on its website, British Airways says it has discovered that more of its customers have been affected – with potentially impacted individuals being those who made reward bookings between April 21 and July 28, 2018, and who used a payment card.

“Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.”

“The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV.”

The numbers are here are a little confusing, so let me try to clarify things:

British Airways initially said 380,000 payment card details were accessed by hackers in late August/early September. They now say they are able to reduce that figure to 244,000. That’s obviously an improvement.

However, the airline’s investigation has also uncovered that hackers were stealing information earlier in the year, with details of an additional 77,000+108,000 payment cards.

Sign up to our free newsletter.
Security news, advice, and tips.

In total, I make that 429,000 payment card details that may have been stolen – and an additional 185,000 customers who need to be notified.

Like Cathay Pacific, which announced a much larger data breach this week, British Airways is keen to underline that it has seen no evidence that stolen information has been exploited by criminals.

This is a reassuring paragraph that hacked companies often emphasise in their communications to concerned customers, but you should be cautious about feeling too reassured.

An absence of evidence is not evidence of absence – if some of the stolen data has been misused by fraudsters and spammers, it wouldn’t necessarily have been linked back to this breach.

Put simply, there’s no reason to believe that British Airways would have any visibility on whether data being misused by criminals – so we shouldn’t be surprised to hear that they’ve seen no verified cases of fraud as a result of the hack.

At the time of the original British Airways breach announcement in September we discussed the case on this episode of the “Smashing Security” podcast. Give it a listen:

Smashing Security #95: 'British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.