British Airways Hack Was Much Bigger Than First Admitted

The cyber-attack on British Airways affected even more customers than originally thought, according to its owner IAG.

A further 185,000 customers might have had their personal details stolen during the hack, it said.

The group said in a stock exchange announcement that as part of an investigation into a cyber breach that took place earlier this year, it is contacting two groups of customers not previously notified.

This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information, including card number, expiry date and Card Verification Value, have potentially been compromised.

A further 108,000 people's personal details without Card Verification Value have also been compromised.

Those impacted were people making reward bookings between April 21 and July 28, 2018, and who used a payment card.

In September, thousands of BA customers had to cancel their credit cards after the airline admitted that a 15-day data hack had compromised 380,000 payments, prompting a criminal inquiry led by specialist cyber officers from the National Crime Agency (NCA).

The firm said today that of the 380,000 payment card details identified, 244,000 were affected.

"While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution," IAG said.

"Since the announcement on September 6, 2018, British Airways can confirm that it has had no verified cases of fraud."

British Airways is facing a multimillion-pound fine as a result of the data breach, which the airline's chief executive described as a "malicious criminal attack".

Cyber criminals behind the attack obtained enough credit card details to use them, and BA now faces a possible fine of around £500 million over the breach, with the Information Commissioner's Office (ICO) also investigating the incident.

BA's data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR). 

Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4% of global turnover, whichever is greater. 

In the year ended December 31 2017, BA's total revenue was £12.2 billion, meaning the company could face a fine of around £500 million if the ICO takes action.

Independent:

You Might Also Read:

The BA Hack And How Not To Respond To A Cyber Attack

« Pay-As-You-Go Cybersecurity
School Training On Child Abuse And Cyber Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Adeptis Group

Adeptis Group

Adeptis are experts in cyber security recruitment, providing bespoke staffing solutions to safeguard your organisation against ever-changing cyber threats.

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

Cybercrypt

Cybercrypt

Cybercrypt is a world leading system provider in robust cryptography. Protecting critical assets, applications and sensitive data.

Bridewell

Bridewell

Bridewell provide cost effective Security & Risk Assurance Services across Information Security, Cyber Security, Technology Risk, Security Testing and Data Privacy.

Aspisec

Aspisec

Aspisec is a cybersecurity company specialized in Firmware Security and Critical Infrastructure Protection.

HackHunter

HackHunter

HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

SecureNation

SecureNation

SecureNation offers a wide variety of cutting-edge technologies and IT services to address almost any of your information security, network security and information assurance needs.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Reliance Cyber

Reliance Cyber

Reliance Cyber (formerly Reliance ACSN) help to monitor and manage your organisation’s security infrastructure 24/7, so you can make sure all threats and issues are dealt with.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

FastNetMon

FastNetMon

FastNetMon is a very high performance DDoS detection and mitigation tool which could detect malicious traffic in your network and immediately block it.

Boldend

Boldend

Boldend offers leading-edge offensive and defensive cybersecurity solutions that empower government and commercial organizations to stay resilient in an evolving threat landscape.

Auria

Auria

Auria advances complex space, missile, and cyber operations with visionary solutions and software.

Cyber Husky

Cyber Husky

Cyber Husky is an agile technology company that specializes in cloud solutions, cybersecurity, and managed IT services.

MineOS

MineOS

MineOS aligns compliance with business growth. We designed our platform so that privacy compliance efforts directly benefit other teams and initiatives.

DuploCloud

DuploCloud

DuploCloud offers an end-to-end DevOps software platform for dev teams that don’t have dedicated DevOps engineers and augments those that do.