[BreachExchange] British Airways admit a further 185, 000 customers may have had their personal details compromised in cyber attack

Destry Winant destry at riskbasedsecurity.com
Fri Oct 26 03:23:53 EDT 2018


British Airways owner IAG has said that 185,000 further customers may
have had their personal details compromised during a cyber attack.

The group said in a stock exchange announcement that as part of an
investigation into a cyber breach that took place earlier this year,
it is contacting two groups of customers not previously notified.

This includes the holders of 77,000 payment cards whose name, billing
address, email address, card payment information - including card
number, expiry date and Card Verification Value - have potentially
been compromised.

A further 108,000 people's personal details without Card Verification
Value have also been compromised, taking the total to 185,000.

In September, thousands of BA customers had to cancel their credit
cards after the airline admitted that a 15-day data hack had
compromised 380,000 payments, prompting a criminal inquiry led by
specialist cyber officers from the National Crime Agency (NCA).

The firm said today that of the 380,000 payment card details
identified, 244,000 were affected.

This takes the total number of payment cards potentially affected by
the hack to 429,000.

However, British Airways confirmed that it had no verified cases of
fraud since the announcement on September 6, adding that potentially
impacted customers were only those making reward bookings between
April 21 and July 28 and who used a payment card.

 A spokesman said:  'While British Airways does not have conclusive
evidence that the data was removed from its systems, it is taking a
prudent approach in notifying potentially affected customers, advising
them to contact their bank or card provider as a precaution.

'Since the announcement on September 6, 2018, British Airways can
confirm that it has had no verified cases of fraud.'

The company is facing a multimillion-pound fine as a result of the
data breach, which the airline's chief executive described as a
'malicious criminal attack'.

Cyber criminals behind the attack obtained enough credit card details
to use them, and BA now faces a possible fine of around £500 million
over the breach, with the Information Commissioner's Office (ICO) also
investigating the incident.

BA's data breach took place after the introduction of the new Data
Protection Act, which includes the provisions of the new European
General Data Protection Regulation (GDPR).

Under the new regulations, the maximum penalty for a company hit with
a data breach is a fine of either £17 million or 4% of global
turnover, whichever is greater.

In the year ended December 31 2017, BA's total revenue was £12.2
billion, meaning the company could face a fine of around £500 million
if the ICO takes action.

More information about the BreachExchange mailing list