The scale of the British Airways data breach has been described as “astounding” and “very worrying” by cyber security experts, after hundreds of thousands of customers’ personal and financial data was obtained by hackers.
“The scale and nature of this attack is astounding, with around 380,000 customers knowingly affected,” Ross Brewer, from security intelligence firm LogRhythm, told The Independent.
“We have heard many times of data breaches involving the theft of personal information which, whilst still very serious, doesn’t often include financial details.
“This breach involved both personal and financial information being stolen which is causing significant problems, not only for BA and its customers, but also banks which are struggling to manage the number of incoming calls to cancel credit cards.”
BA said no passport or travel details were stolen but the type of data exposed means criminals could use the etails to commit fraud and make high-value purchases.
Other security experts said the airline should be more clear on what type of personal details were affected, as this could have an impact on the risk posed to customers.
“It is not clear what ‘personal’ data has been lost and in some cases this can magnify the scope of the fraud,” said James Lyne, head of research and development at cyber security firm SANS Institute.
“For customers it is really important to know exactly what data has been lost so BA should offer some clarity on this as soon as possible.”
British Airways chief executive Alex Cruz described the data breach as a “sophisticated, malicious criminal attack” and promised financial compensation to the customers affected.
“We are extremely sorry for what has happened. We know it has caused concern to some of our customers,” Mr Cruz told the BBC.
“Our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data.”
The full financial impact on affected British Airways customers may not be realised immediately, however, with the bank card details likely to pass through criminal forums on underground websites before they are used.
Cyber security analyst Leigh Anne Galloway, from Positive Technologies, told The Independent: “Once hackers have hold of high-value data like card details, the market in criminal networks for reselling is huge, meaning that we may not see the effects of this theft immediately until a buyer acts.
“The best thing to do for anyone who thinks their details may have been involved, or who has been told so by BA, should keep an eye on their transactions.”
Ms Galloway and other security experts advised BA customers to be wary of scam emails that use credentials taken from this breach, and should consider cancelling their credit and debit cards for peace of mind.