British Airways has issued an update on its investigation into a data breach to reveal that a second attack may have involved the CVV numbers of 77,000 customers’ payment cards.
The airline revealed an incident on 6 September, saying up to 380,000 card payments were affected by the breach, which took place between 21 August and 5 September.
Following an investigation with cyber forensic specialists and the National Crime Agency, BA has now said hackers may have stolen additional personal data in a separate incident. This includes the name, billing address, email address and card payment information – including card number, expiry date and CVV – of up to 77,000 customers not previously notified, as well as a further 108,000 cards without CVVs.
BA says only customers making reward bookings (whether air fare, car rental, hotel rooms or experiences) between 21 April and 28 July who used a payment card are potentially affected.
The airline claims it does not have conclusive evidence to say the data was removed from its systems, but says it is taking “a prudent approach in notifying potentially affected customers”.
Those who may have had data compromised will be notified by 1700 GMT on 26 October, according to BA.
BA says it will offer reimbursement for financial losses as a result of the breach, as well as credit rating monitoring provided by “specialists in the field”.
A statement on BA’s website says passengers are only being informed of the breach now because of the “complex” nature of the investigation.
The airline has not commented on what customer data was stored on its website due to the ongoing investigation.