British Airways, which once liked to describe itself as “The World’s Favourite Airline”, is about to become a whole lot less popular with hundreds of thousands of its customers.
The airline has announced that hackers have stolen customers’ personal and payment card information from its website:
We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.
From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.
The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.
We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.
Details are currently sparse, although BA spokespeople appear to have confirmed to the media that some 380,000 card payments were compromised in the breach of its website.
BA says that it has now resolved the vulnerability, and that it is safe for passengers to check-in online, and book flights online. Customers are being advised to contact their banks for further advice.
It continues to investigate the incident, and one imagines will be publishing more details about the serious security breach as it becomes available.
Quite frankly, with GDPR now in force, it won’t just be affected customers who are watching with interest how this incident plays out.
Readers with long memories may recall that this is not the first time that British Airways has suffered at the hands of hackers.
For more discussion of this issue, be sure to listen to this episode of the “Smashing Security” podcast:
Smashing Security #095: 'British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
They have a very poor password policy, nothing complex allowed, no special characters and quite short, I couldn’t get passed creating a log on with more than 6 characters!