British Airways has suffered a data breach, with critical information about hundreds of thousands of users stolen by hackers. The company confirmed the violation and said it was done by a "very sophisticated, malicious criminal."
In total 380,000 accounts were compromised, according to the company, where hackers steal names, street and e-mail addresses, credit card numbers and expiration dates and security codes via the company website and the app.
The theft of this information happened over a period of two weeks, it was said, starting on August 21 and ending on September 5, when it was eventually discovered.
Chief Executive Alex Cruz said the courier "deeply sorry" for the failure.
"There were other methods, very advanced efforts, by criminals in obtaining the data," he told the BBC radio. "It had access to our systems in an unauthorized way, it was very advanced."
Cruz added that anyone who fails financially would be compensated for his loss.
Is BA affected by GDPR?
Paul Farrington, head of EMEA at app security company CA Veracode also warns that things are different now, with GDPR in effect.
"Now that GDPR is fully in place, the board should take BA into account with their exposure to regulatory fines, especially when it took 16 days to establish the breach, and if the financial losses were greater than it would have cost to prevent violation in the first place. "
"IT problems affect not only BA, but also the wider aviation sector, airlines have a duty to keep the aircraft in the air, and most investments go in. However, recent failures show that investments are also technology-driven. Because airlines are becoming more and more dependent on software, this creates a larger surface for hackers to attack and therefore it is no surprise that infringements on this scale become commonplace. "
Malwarebytes Lead Malware analyst Chris Boyd says it is interesting to see a company that offers such a specific time range for the attack. It is not something that usually happens:
"The only good thing we can say about this violation is that BA has specified a very short and specific period where possible data has been compromised, and we are generally fortunate to have a date range of less than six months to a year, making it possible response of a potential victim to a threat becomes difficult.This could be an important test of the new GDPR rules, and it will be fascinating to see the cause of the infringement coming into being. "