Furious British Airways customers have been left having to cancel their credit cards after a 15-day data breach compromised around 380,000 card payments.
The airline admitted “criminal activity” had compromised the personal and financial details of customers who made bookings on its website or app from just before 11pm on August 21 until 9.45pm on Wednesday.
BA said it was investigating the vast breach “as a matter of urgency”, while the National Crime Agency and National Cyber Security Centre are also assessing the hack.
Shares in British Airways owner IAG were down over 4% shortly after the London Stock Exchange opened, before settling 2% lower.
Worried customers rushed to social media and helplines after the airline urged anyone who suspected they may have been affected to contact their bank or credit card provider.
There were reports of banks being inundated with calls, leaving account holders in lengthy queues, while some BA customers said they had to have cards cancelled and reissued as a result.
The data watchdog has said it would be making inquiries into the incident.
BA said on Thursday evening: “British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.
“The breach has been resolved and our website is working normally.”
The airline was in the process of notifying affected customers and Alex Cruz, BA’s chairman and chief executive, said it was “deeply sorry for the disruption that this criminal activity has caused”.
“We take the protection of our customers’ data very seriously,” he said.
Mr Cruz said BA had “hundreds” of people communicating with customers “making sure that we can help to protect that data”.
He told the BBC on Friday morning that the attack was “sophisticated” and “malicious”.
“There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work,” he said.
“We didn’t know exactly (the) extent of the work, so overnight, the teams were trying to figure what was the extent of the attack.”
Customer Mat Thomas said he had placed a booking on August 27, but had not been contacted over the breach.
“Atrocious that I had to find out about this via news and twitter,” he tweeted.
“Called bank and had to cancel both mine and my wife’s card. Probably won’t get it back before we fly (ironically).
“Terrible handling of the situation as I’ve still not received an email from BA!”
Gemma Theobald said she had booked on Sunday and only found out about the breach on Twitter.
She tweeted: “My bank… are experiencing extremely high call volumes due to this breach! Couldn’t do anything other than cancel my card… not how I wanted to spend my Thursday evening”.
Banks including NatWest and RBS attempted to reassure worried BA customers that they have “significant” levels of security in place, although they advised account holders to be on the lookout for any suspicious activity.
Which? said it was “vital” BA moved quickly to ensure affected customers get clear information and what steps they need to take to protect themselves.
“British Airways customers will be concerned to hear about this data breach,” said consumer group’s Alex Neill.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”
A spokesman for the Information Commissioner’s Office said they would be making inquiries about the data theft.
The incident comes after an IT meltdown caused huge disruption for BA passengers at the start of the May half-term holiday.
Some 75,000 passengers were left stranded after a glitch forced the airline to cancel nearly 726 flights over three days.
The airline’s recent data breach follows a massive incident that saw round 10 million records containing personal data of Dixons Carphone customers accessed.
The company said there was evidence that some of the data “may have left our systems”, although the records did not contain payment card or bank account details and there was no evidence that any fraud has resulted.