British Airways apologizes as data breach hits 380,000+ customers

The airline announced the cyber attack via Twitter and news outlets, and it offered information through its website. However, many complained that an email to its customers came too late.

British Airways is scrambling after a data breach compromised payment and personal information for more than 380,000 customers.

The security breach, which happened between Aug. 21 and Sept. 5, is the worst that the airline has ever seen, affecting people who booked through its website and its mobile app. Though personal and financial details were compromised, British Airways said no passport information was leaked.

The Telegraph reported:

It is thought the number of payments compromised could be up to 400,000 and BA confirmed Friday morning hackers had obtained names, addresses, credit card numbers, expiry dates and the three-digit security codes on the backs of cards – plenty to make a fraudulent payment.

Alex Cruz, BA’s chairman, revealed the hackers were “very sophisticated criminals” who had not hacked the company’s encrypted data, but rather gained “illicit access” to the airline’s system.

On Thursday, British Airways tweeted the news:

On Friday, the airline’s chief executive, Alex Cruz, sent a letter to customers apologizing for the breach. It read:

From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at, and on our app were compromised. The stolen data did not include travel or passport information.

The breach has been resolved and our website is working normally.

We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice.

We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.

Further information can be found at

The airline provided answers to several common questions about the incident on its website, including how consumers can find out if they’ve been affected, whether passengers can still check in to their flights and how customers can reset their passwords.

British Airways also promised affected consumers compensation for any resulting financial losses:

No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website,, and the airline’s mobile app.

The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.

The company’s social media team has also been responding to consumers’ questions and concerns on Twitter.

Along with its announcement on Twitter, the explanation on its website and the apology via email, British Airways’ chief has been reaching out to reporters in an attempt to control the narrative.

The Daily Mail reported:

Mr Cruz said BA had “hundreds” of people communicating with customers “making sure that we can help to protect that data”.

He told the BBC on Friday morning that the attack was “sophisticated” and “malicious”.

“There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work,” he said.

“We didn’t know exactly (the) extent of the work, so overnight, the teams were trying to figure what was the extent of the attack.”

Though British Airways has communicated the news and accompanying information across multiple channels, many consumers are lashing out because the airline did not first notify affected passengers—nor did it properly prepare call center staff. Instead, the first announcements about the breach were public messages.

The Financial Times reported:

One Twitter user said he was “shocked” that BA’s call [center] had not known about the hack when he contacted it, while another said it was “disappointing” that they had found out about the breach from tweets and online news rather than from BA directly.

The Telegraph reported:

Stephanie Jowers, who works in tech and is from New York, said she contacted the airline just hours before the hack was announced on Twitter with concerns about charges on her account, but was not informed that it could have been compromised.

“I contacted BA customer service by phone three hours prior to the Twitter announcement. I was unclear about the ‘fee’ charged referencing my booking reference number. They put me on hold for a bit. Then the rep told me I would be ‘refunded within 24 hours’. I asked repeatedly for an explanation. None was given. No case ID provided either or further contact information for follow-up issues,” she told the Daily Telegraph.

Other Twitter users lashed out because they were informed via Twitter and news outlets, instead of by email from the airline or through its customer service employees.

The crisis has already caused dents in both shares and brand image.

Reuters reported:

The attack came 15 months after the carrier suffered a massive computer system failure at London’s Heathrow airport, which stranded 75,000 customers over a holiday weekend.

Shares in BA’s parent, International Airlines Group ( ICAG.L ), fell 3 percent in early deals on Friday.

Bloomberg reported that IAG’s shares fell “by as much as 5.8 percent, the most in seven months.”

What do you think of how British Airways communicated its cyber attack, PR Daily readers? What would you have advised?

(Image via)


PR Daily News Feed

Sign up to receive the latest articles from PR Daily directly in your inbox.