Skip to main content

British Airways app and website hack exposes full card details of 380,000 customers

A ‘sophisticated’ attack on British Airways’ mobile app and website has exposed the names, email addresses and full credit card details of 380,000 customers.

Of particular concern is the fact that the attackers captured the three-digit CVV security codes on the backs of cards, something that should not normally be possible …

BA said that the hack gathered data on transactions made through its app and website between August 21 and September 5, reports the BBC.

“It was name, email address, credit card information – that would be credit card number, expiration date and the three digit [CVV] code on the back of the credit card,” said BA boss Alex Cruz.

BA insists it did not store the CVV numbers. This is prohibited under international standards set out by the PCI Security Standards Council.

Since BA said the attackers also managed to obtain CVV numbers, security researchers have speculated that the card details were intercepted, rather than harvested from a BA database.

The airline says only transactions made between the above dates were affected, and that all customers whose details were exposed have now been contacted. BA has advised affected customers to contact their banks to have cards cancelled, and has promised to compensate them for any loss.

BA said that ‘a third party’ alerted it to the breach, suggesting that it may have been detected by security researchers. If so, it’s likely we’ll learn more shortly.

Both police and the British privacy watchdog, the Information Commissioner’s Office, are investigating. If BA is found to have been negligent, Europe’s GDPR privacy laws would allow the airline to be fined up to 4% of its total global annual revenue, which would be a maximum of £489M ($634M).

Reuters reports a spokesperson for the prime minister, Theresa May, saying that the government is aware of the attack.

We are aware of the reports and the National Cyber Security Centre and the National Crime Agency are working to better understand what has happened.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear