UPDATE: British Airways Data Breach Affects Those That Made Award Bookings April 21 – July 28, 2018

British Airways today announced that it had found that the data breach was more widespread than originally thought (read more here, here and here).

The hackers were able to steal the payment card information of Executive Club members that made award bookings between April 21 – July 28, 2018 (roughly 185,000 cards). This was not previously disclosed.

You can access BA’s page for the announcement here.

Here’s the update from British Airways:

Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.

The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.

In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.

We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.

UPDATE: Here’s the email that BA just sent me:

Conclusion

British Airways tries to limit its liability by stating “we had no verified cases of fraud”. How could they know when the banks and customers are dealing with the unauthorized charges due to BA’s inability to guard this information?

This breach may become very expensive for BA due to laws in place within the European Union.

Just had a look at my British Airways electronic tickets and I had issued three during the affected time period on April 22, April 27 and May 31. Eagerly waiting for another email from Mr. Cruz.