More than 185,000 additional people may have had payment card details stolen from British Airways during an attack on its website, in a breach that was only discovered while investigating a separate attack that affected 380,000 transactions. According to BA’s owner IAG, both attacks are suspected to have been carried out by the same group.
The second breach is thought to have gone undetected for months, with the attack taking place between 21 April and 28 July, at least a month before the second, already-disclosed attack that compromised almost 400,000 customers. The new attack only affected customers who had made bookings by cashing in BA loyalty program rewards, and BA has confirmed that it will be contacting those impacted by the breach to advise them on what action to take.
Two groups of customers were affected by the attack, with 77,000 people having their name, address, email address and detailed payment information taken. A further 108,000 people had personal details for their payment cards, excluding the CVV number, stolen.
The previously-disclosed attack, which took place between 21 August and 5 September, prompted an investigation by the UK’s National Crime Agency and the Information Commissioner’s Office, with BA and IAG potentially facing huge fines if any wrongdoing or mismanagement of data is found, thanks to GDPR guidelines. According to British Airways, since the announcement on 6 September, there have been no verified cases of fraud using the details stolen.