British Airways suffered a second cyberattack which compromised customers’ bank card details including card-security codes.
BA revealed the attack late yesterday ahead of issuing third-quarter results. The breach occurred between April 21 and July 28, predating the security breach the airline suffered in late August and early September.
It took the number of customers whose payment cards may have been compromised in the two attacks on BA to 565,000.
Investigators believe the attacks were linked, with BA noting: “The investigation [of the August-September breach] has shown the hackers may have stolen additional personal data.”
The earlier breach appears to have involved the compromise of BA’s loyalty programme since it affected customers making reward bookings.
BA said it had notified the holders of 77,000 payment cards of the attack, revealing: “The name, billing address, email address, card payment information, including card number, expiry date and CVV [security code on the back of cards] have potentially been compromised.”
The carrier said a further 108,000 cards were compromised without the loss of CVV numbers, meaning the data of 185,000 customers was accesssed in the April-July attack.
BA also confirmed that 244,000 payment cards were “affected” by the breach between August 21 and September 5. It did not explain what it meant by “affected”.
The airline gave notice of that breach on September 6, when it said as many as 380,000 cards had been compromised.
Of the April-July breach, BA said: “The potentially impacted customers were only those making reward bookings between April 21 and July 28 and who used a payment card.
“While BA does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers.”
The carrier advised customers to contact their bank or card provider.
The data breach between August 21 and September 5 was described by one cyber security expert as possibly “the worst financial data breach of all time”.
BA said: “The airline has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate the data theft.”