These are the key questions and answers.
Q What happened?
Between 10.58pm on 21 August and 9.45pm on 5 September 2018, hackers stole the personal and financial details of people who booked flights on the ba.com website and the British Airways app.
British Airways customers urged to contact banks after website theft
The data breach was identified, according to BA, when “a third party noticed some unusual activity and informed us about it”. The airline informed the police.
British Airways will not say who the third party was. But The Independent understands it was a company, possibly another airline, that was targeted with a high volume of attempted fraudulent transactions. It is not clear, though, how this was traced back to BA.
The airline says that once the theft was identified, ”We immediately acted to close down the issue, and started an investigation as a matter of urgency”.
Q Who does this affect?
An estimated 380,000 people who booked direct with the airline during the 15-day spell when security was breached. Bookings made outside this timeframe, or through travel agents, are unaffected.
Q What data was stolen, and what could it be used for?
When a passenger makes a booking through the British Airways website, they must submit their name, address and credit card details: the number, expiry date and security code or “Card Verification Value” (CVV) on the back.
With this information, a fraudster has a range of options, from cloning cards to making online purchases.
Because of the limited time before the fraud is uncovered, a popular way to extract value from stolen details is to buy plane tickets, typically for high-value, short-notice trips. That is why it is possible that another airline alerted British Airways to the fraud.
The airline stresses that “no passport or travel details were stolen”. That should mean that there is no connection between the name and address of the person and their planned dates for being away from home, nor for their passport data to be misused.
Q What details have been stolen – and if my details were stolen, what do I need to do?
You should already have been contacted by British Airways and told: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice.”
The likely response will be the same as when cards are physically stolen: the account remains the same, but the compromised credit-card number is changed. That means considerable hassle providing new details to all the firms that automatically bill your credit card.
Q Will I get compensation?
Nobody will be left out of pocket, according to the airline, which says: “Every customer affected will be fully reimbursed and we will pay for a credit checking service.” However, besides providing recompense for actual financial losses, the airline may face claims from customers who incur costs such as loss of earnings from having to “reboot” their financial settings.
Q Will my flight booking be affected?
No. This appears purely to be a financial crime, and has no effect on the airline’s day to day operations.
Q What does this mean for British Airways?
It is another severe embarrassment related to IT. In May 2017, a “power outage” triggered a collapse in the airline’s information systems and the cancellation of hundreds of flights over a bank holiday weekend.
As with that event, the costs from this data breach could run into tens of millions of pounds. In addition BA could face a stiff fine from the Information Commissioner.
After a cyber attack on TalkTalk in 2015, which affected fewer than half as many customers as BA’s breach, the telecom firm was fined £400,000. The commissioner’s line then was: “Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”
The airline’s parent company, IAG, is likely to see its share price fall when stock markets open.