British Airways is scrambling after a data breach compromised payment and personal information for more than 380,000 customers.
The security breach, which happened between Aug. 21 and Sept. 5, is the worst that the airline has ever seen, affecting people who booked through its website and its mobile app. Though personal and financial details were compromised, British Airways said no passport information was leaked.
It is thought the number of payments compromised could be up to 400,000 and BA confirmed Friday morning hackers had obtained names, addresses, credit card numbers, expiry dates and the three-digit security codes on the backs of cards – plenty to make a fraudulent payment.
Alex Cruz, BA’s chairman, revealed the hackers were “very sophisticated criminals” who had not hacked the company’s encrypted data, but rather gained “illicit access” to the airline’s system.
On Thursday, British Airways tweeted the news:
We are investigating the theft of customer data from our website and our mobile app, as a matter of urgency. For more information, please click the following link:https://t.co/2dMgjw1p4r
— British Airways (@British_Airways) September 6, 2018
On Friday, the airline’s chief executive, Alex Cruz, sent a letter to customers apologizing for the breach. It read:
From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised. The stolen data did not include travel or passport information.
The breach has been resolved and our website is working normally.
We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice.
We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.
Further information can be found at ba.com.
The airline provided answers to several common questions about the incident on its website, including how consumers can find out if they’ve been affected, whether passengers can still check in to their flights and how customers can reset their passwords.
British Airways also promised affected consumers compensation for any resulting financial losses:
No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website, ba.com, and the airline’s mobile app.
The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.
The company’s social media team has also been responding to consumers’ questions and concerns on Twitter.
Along with its announcement on Twitter, the explanation on its website and the apology via email, British Airways’ chief has been reaching out to reporters in an attempt to control the narrative.
Mr Cruz said BA had “hundreds” of people communicating with customers “making sure that we can help to protect that data”.
He told the BBC on Friday morning that the attack was “sophisticated” and “malicious”.
“There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work,” he said.
“We didn’t know exactly (the) extent of the work, so overnight, the teams were trying to figure what was the extent of the attack.”
Though British Airways has communicated the news and accompanying information across multiple channels, many consumers are lashing out because the airline did not first notify affected passengers—nor did it properly prepare call center staff. Instead, the first announcements about the breach were public messages.
One Twitter user said he was “shocked” that BA’s call [center] had not known about the hack when he contacted it, while another said it was “disappointing” that they had found out about the breach from tweets and online news rather than from BA directly.
The Telegraph reported:
Stephanie Jowers, who works in tech and is from New York, said she contacted the airline just hours before the hack was announced on Twitter with concerns about charges on her account, but was not informed that it could have been compromised.
“I contacted BA customer service by phone three hours prior to the Twitter announcement. I was unclear about the ‘fee’ charged referencing my booking reference number. They put me on hold for a bit. Then the rep told me I would be ‘refunded within 24 hours’. I asked repeatedly for an explanation. None was given. No case ID provided either or further contact information for follow-up issues,” she told the Daily Telegraph.
Other Twitter users lashed out because they were informed via Twitter and news outlets, instead of by email from the airline or through its customer service employees.
Furious @British_Airways Found out re data breach from news, before you had the decency to tell me yourself I was likely affected. I’m travelling alone in Vietnam & have had to put stop on the card, which makes me vulnerable & I’m now spending precious hol time trying to resolve
— Michelle Dewberry (@MichelleDewbs) September 7, 2018
So I’m one of the lucky 380,000 @British_Airways customers who’ve had their credit/bank card details hacked: it takes BA 16 days to notice and now I get an email for #AlexCrux with a cod apology but no proper acceptance of responsibility or offer of compensation. Hmm pic.twitter.com/5xEbKjcbGI
— Simon Nayyar (@SimonNayyar) September 7, 2018
The crisis has already caused dents in both shares and brand image.
The attack came 15 months after the carrier suffered a massive computer system failure at London’s Heathrow airport, which stranded 75,000 customers over a holiday weekend.
Shares in BA’s parent, International Airlines Group ( ICAG.L ), fell 3 percent in early deals on Friday.
What do you think of how British Airways communicated its cyber attack, PR Daily readers? What would you have advised?