Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

BA data breach: What does the British Airways hack mean for customers?

With stolen financial data, a fraudster has a range of options, from cloning cards to making online purchases

Simon Calder
Travel Correspondent
Saturday 08 September 2018 11:57 BST
Comments
BA data breach: 'Name, email, address and credit card information' stolen, says CEO

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

“A very sophisticated, malicious attack”: that is how BA’s boss, Alex Cruz, described a security breach that allowed cyber criminals to steal personal and financial information from 380,000 customers who booked direct with the airline over a two-week spell.

Once again, a failure in British Airways’ IT system has caused massive problems for customers. These are the key questions and answers.

Q What happened?

Between 10.58pm on 21 August and 9.45pm on 5 September 2018, hackers stole the personal and financial details of people who booked flights on the ba.com website and the British Airways app.

The data breach was identified, according to BA, when “a third party noticed some unusual activity and informed us about it”. The airline informed the police and the Information Commissioner.

British Airways will not say who the third party was. But The Independent understands it was a company, possibly another airline, that was targeted with a high volume of attempted fraudulent transactions. It is not clear, though, how this was traced back to BA.

The airline says that once the theft was identified, ”We immediately acted to close down the issue, and started an investigation as a matter of urgency”.

Q Who does this affect?

An estimated 380,000 people who booked direct with the airline during the 15-day spell when security was breached. Bookings made outside this timeframe, or through travel agents, are unaffected.

Travellers who booked BA “code-share” flights through other airlines’ websites, such as Aer Lingus, American Airlines or Iberia have not had their details stolen.

Q What data was stolen, and what could it be used for?

When a passenger makes a booking through the British Airways website, they must submit their name, address and credit or debit card details. BA has confirmed that all bank card details were at risk: the number, expiry date and security code or “Card Verification Value” (CVV) on the back.

With this information, a fraudster has a range of options, from selling on the data to other criminals to cloning cards or making online purchases.

Because of the limited time before the fraud is uncovered, a popular way to extract value from stolen details is to buy plane tickets, typically for high-value, short-notice trips. That is why it is possible that another airline alerted British Airways to the fraud.

The airline stresses that “no passport or travel details were stolen”. That should mean that there is no connection between the name and address of the person and their planned dates for being away from home, nor for their passport data to be misused.

The nature of the stolen data suggests that it happened during the payment clearing stage of each transaction. The bank wants to check the name, address and card details, rather than the nature of the purchase.

Q What details have been stolen – and if my details were stolen, what do I need to do?

You should already have been contacted by British Airways and told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.”

The bank may treat your card as physically stolen. The account remains the same, but the compromised card number is changed. That means considerable hassle providing new details to all the firms that automatically bill your credit or debit card.

American Express is telling holders of its British Airways-branded cards: “If you have used your American Express card to book with British Airways, we are monitoring your account for you.

“We have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our cardmembers are never liable for any fraudulent charges on their accounts.”

Q Will I get compensation?

If you report the theft of your card details as soon as you become aware, issuers will not charge you for financial transactions. Of course many of the people who bought flights may be away and uncontactable.

That appears to rule out claims from customers who incur costs such as loss of earnings from having to “reboot” their financial settings.

Q Will my flight booking be affected?

No. This appears purely to be a financial crime, and has no effect on the airline’s day-to-day operations.

Unlike in June, when thousands of passengers had their BA tickets cancelled and refunded after the airline said its fares system was supplying incorrect data, all bookings made during the affected spell should go ahead as normal.

Q What does this mean for British Airways?

It is another severe embarrassment related to the airline’s information technology systems. In July around 7,000 passengers had their flights to or from Heathrow cancelled after a failure of an IT system provided to BA by Amadeus.

In May 2017, a “power outage” triggered a collapse in the airline’s information systems and the cancellation of hundreds of flights over a bank holiday weekend.

As with that event, the costs from this data breach could run into tens of millions of pounds. In addition BA could face a stiff fine from the Information Commissioner.

After a cyber attack on TalkTalk in 2015, which affected fewer than half as many customers as BA’s breach, the telecom firm was fined £400,000. The commissioner’s line then was: “Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”

I bought my BA ticket before the hack, but I flew during it. Is my data likely to be compromised?

No, the cyber theft affects only bookings made in the affected timeframe from 21 August to 5 September.

Anything else?

Beware: the British Airways breach is likely to trigger further attempts at cyber crime, with fraudsters sending out scam emails in a bid to obtain confidential information. BA says: ”British Airways will not be contacting any customers asking for payment card details, any such requests should be reported to the police and relevant authorities.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in