Between 22:58 BST August 21 2018 until 21:45 BST September 5 2018, British Airways investigated the theft of customer data from its website (ba.com) and mobile app.
The stolen data of 380,000 passengers consisted of personal and financial details of customers making bookings and changes on ba.com and the airline’s app. The data did not include travel or passport details.
The breach was reported to authorities and the website is now working as normal.
Brish Airways wrote on its website: “We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice.
“British Airways will not be contacting any customers asking for payment card details and any such requests should be reported to the police.
“We understand that this incident will cause concern and inconvenience. We have contacted all affected customers to say sorry, and we will continue to update them in the coming days.”
The airline company advises that, if you believe you have been affected by the incident, contact your bank or credit card provider and follow their recommended advice.
Ilia Kolochenko, CEO of High-Tech Bridge, comments: “British Airway’s reaction is very fast. The company’s transparency and frankness serve as a good example to other companies who are prone to minimise the consequences. It is, however, too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins.
“Shadow IT and legacy applications are a plague of today. Large organisations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.
“Web applications are the Achilles’ heel of modern companies and organisations. Lawmakers make their lives even more complicated, as for example with GDPR, many organisations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented.”
Customers should also be aware that fraudsters may be claiming to be British Airways and attempt to gather personal information by deception (known as ‘phishing’).
Written by Leah Alger