BA data breach: What does the British Airways hack mean for customers?

Sign up to Simon Calder’s free travel email for expert advice and money-saving discounts

Get Simon Calder’s Travel email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

“A very sophisticated, malicious attack”: that is how BA’s boss, Alex Cruz, described a security breach that allowed cyber criminals to steal personal and financial information from 380,000 customers who booked direct with the airline over a two-week spell.

Once again, a failure in British Airways’ IT system has caused massive problems for customers. These are the key questions and answers.

Q What happened?

Between 10.58pm on 21 August and 9.45pm on 5 September 2018, hackers stole the personal and financial details of people who booked flights on the ba.com website and the British Airways app.

The data breach was identified, according to BA, when “a third party noticed some unusual activity and informed us about it”. The airline informed the police and the Information Commissioner.

British Airways will not say who the third party was. But The Independent understands it was a company, possibly another airline, that was targeted with a high volume of attempted fraudulent transactions. It is not clear, though, how this was traced back to BA.

The airline says that once the theft was identified, ”We immediately acted to close down the issue, and started an investigation as a matter of urgency”.

Q Who does this affect?

An estimated 380,000 people who booked direct with the airline during the 15-day spell when security was breached. Bookings made outside this timeframe, or through travel agents, are unaffected.

Travellers who booked BA “code-share” flights through other airlines’ websites, such as Aer Lingus, American Airlines or Iberia have not had their details stolen.

Q What data was stolen, and what could it be used for?

When a passenger makes a booking through the British Airways website, they must submit their name, address and credit or debit card details. BA has confirmed that all bank card details were at risk: the number, expiry date and security code or “Card Verification Value” (CVV) on the back.

With this information, a fraudster has a range of options, from selling on the data to other criminals to cloning cards or making online purchases.

Because of the limited time before the fraud is uncovered, a popular way to extract value from stolen details is to buy plane tickets, typically for high-value, short-notice trips. That is why it is possible that another airline alerted British Airways to the fraud.

The airline stresses that “no passport or travel details were stolen”. That should mean that there is no connection between the name and address of the person and their planned dates for being away from home, nor for their passport data to be misused.

The nature of the stolen data suggests that it happened during the payment clearing stage of each transaction. The bank wants to check the name, address and card details, rather than the nature of the purchase.

Q What details have been stolen – and if my details were stolen, what do I need to do?

You should already have been contacted by British Airways and told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.”

The bank may treat your card as physically stolen. The account remains the same, but the compromised card number is changed. That means considerable hassle providing new details to all the firms that automatically bill your credit or debit card.

American Express is telling holders of its British Airways-branded cards: “If you have used your American Express card to book with British Airways, we are monitoring your account for you.

“We have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our cardmembers are never liable for any fraudulent charges on their accounts.”

Q Will I get compensation?

If you report the theft of your card details as soon as you become aware, issuers will not charge you for financial transactions. Of course many of the people who bought flights may be away and uncontactable.

That appears to rule out claims from customers who incur costs such as loss of earnings from having to “reboot” their financial settings.

Q Will my flight booking be affected?

No. This appears purely to be a financial crime, and has no effect on the airline’s day-to-day operations.

Unlike in June, when thousands of passengers had their BA tickets cancelled and refunded after the airline said its fares system was supplying incorrect data, all bookings made during the affected spell should go ahead as normal.

Q What does this mean for British Airways?

It is another severe embarrassment related to the airline’s information technology systems. In July around 7,000 passengers had their flights to or from Heathrow cancelled after a failure of an IT system provided to BA by Amadeus.

In May 2017, a “power outage” triggered a collapse in the airline’s information systems and the cancellation of hundreds of flights over a bank holiday weekend.

As with that event, the costs from this data breach could run into tens of millions of pounds. In addition BA could face a stiff fine from the Information Commissioner.

After a cyber attack on TalkTalk in 2015, which affected fewer than half as many customers as BA’s breach, the telecom firm was fined £400,000. The commissioner’s line then was: “Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”

I bought my BA ticket before the hack, but I flew during it. Is my data likely to be compromised?

No, the cyber theft affects only bookings made in the affected timeframe from 21 August to 5 September.

Anything else?

Beware: the British Airways breach is likely to trigger further attempts at cyber crime, with fraudsters sending out scam emails in a bid to obtain confidential information. BA says: ”British Airways will not be contacting any customers asking for payment card details, any such requests should be reported to the police and relevant authorities.”