British Airways today announced the theft of customer data from its website and mobile application.
Customers that used the airline's website and mobile application to make bookings between August 21 and September 5 are affected by the incident.
The airline is scarce with details at the moment because the investigation is ongoing and it's too soon to evaluate the damages. They stopped the breach and notified the relevant authorities.
Travel and passport information remains unaffected, the air carrier says, but personal and financial details of 380.000 customers were accessed by an unauthorized party.
"We will be contacting affected customers directly to advise them of what has happened and are advising them to contact their banks or credit card providers and follow their recommended advice," British Airways says in a statement.
All operations are running normally at the moment, but users are advised to change their passwords and choose a unique and strong one. The air carrier also recommends affected customers to call their bank and follow their instructions, to minimize potential financial damage.
To make sure their message reaches a large portion of its customers, British Airways pinned the breach announcement on its Twitter page, for all its 1.17 million followers to see.
We are investigating the theft of customer data from our website and our mobile app, as a matter of urgency. For more information, please click the following link:https://t.co/2dMgjw1p4r— British Airways (@British_Airways) September 6, 2018
“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously,” said Alex Cruz, British Airways’ Chairman and Chief Executive.
Publicly announcing the incident this way is not only a good method to inform customers, but it may also help the air carrier get a smaller fine from UK's data protection watchdog, the Information Commissioner’s Office (ICO).
The move is also accord with GDPR provisions, which require organizations in the UK to report certain types of personal data breach to ICO within 72 hours of learning about the incident.
If the breach affects individuals' rights and freedoms, they should also receive a notification without delay. If the organization cannot identify the persons affected by the breach, it would make sense that a public announcement of this magnitude to count as notification.
A similar incident was reported by Air Canada on August 28. Data from the mobile application had been accessed without authorization during a two-day interval, forcing the company to lock all its 1.7 million accounts.
20,000 customers were affected by that incident. The intruder could steal at least the owner's name, email address, and telephone number, because this is the required information for the mobile app account.