British Airways has been forced to apologise to hundreds of thousands of its customers after their credit card details and other personal information were stolen over a two-week period in the worst ever attack on its website and app.

Around 380,000 card payments were compromised, with hackers obtaining names, postal and email addresses, credit card numbers, expiry dates and security codes – all the information needed to steal from accounts.

The data breach was discovered on Wednesday, with bookings made between 21 August and 5 September affected by what BA chairman and CEO Alex Cruz called a “very sophisticated, malicious” attack on the companys systems. Customers were immediately contacted as soon as the extent of the breach became clear.

“Were extremely sorry,” said Cruz during an interview on the BBCs Today programme. “I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app. We discovered that something had happened but we didnt know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.”

The breach comes 15 months after a massive computer system failure by BA caused chaos at Londons Heathrow airport, stranding 75,000 customers over a holiday weekend. News of the breach caused shares in British Airways parent company, International Airlines Group, to fall three per cent in early trading.

BA has advised customers affected by the attack to contact their bank or credit card provider and follow recommended advice. It also took out ads in national newspapers to inform those potentially affected.

Cruz has confirmed that anyone who has lost out financially will be compensated by the airline, which has already launched an investigation into the breach and is working with police and other relevant authorities. According to IAG, all its websites are now working normally, no travel or passport details were stolen, and the attackers have not broken the airlines encryption.