In a statement published on their main website, British Airways has confirmed and apologized for payment card data theft of more than 380.00 customers.
"We are investigating the theft of customer data from our website and our mobile app between 21st August and 5th September as a matter of urgency. The stolen data did not include travel or passport details." says the customer data theft entry on the company's website.
All customers who suffered financial losses because of the data theft will be reimbursed by the airline, and British Airways will get in touch with all of them to let them know what happened and to advise them to contact their credit card providers or banks to get advice on how to proceed further.
Alex Cruz, Chairman and Chief Executive Officer of British Airways also apologized for the attack's terrible consequences and the disruption of normal operation, while also making sure to point out that the customer data protection is taken "very seriously."
British Airways' quick actions could be a direct result of GDPR regulations
British Airways does not provide any detailed information on the data breach incident given that the there's still an ongoing investigation by both security experts and the police, but it has taken all necessary measures to prevent further loss of customer data.
"Specialist officers from the NCA’s National Cyber Crime Unit (NCCU) are managing the ongoing investigation and are on site working with BA to gain a better understanding of the incident," said the UK National Crime Agency (NCA) in a separate statement on their website.
The NCA also links to an "NCSC advice for British Airways customers" page on the National Cyber Security Centre’s (NCSC) website where customers affected by the British Airways data breach can find guidance and advice on how to best mitigate the data loss suffered during the cyber-attack.
The quick steps taken by the British Airways to acknowledge the data breach and apologize to their customers come as no surprise seeing that the GDPR (General Data Protection Regulation) regulations require organizations to report data breach incidents to the Information Commissioner’s Office or risk getting fined.
UPDATE: Ironically, although British Airways said in their statement that "The incident has been resolved and ba.com is working normally", the page detailing the data breach is served via an insecure connection as discovered by Steve Parker:
.@British_Airways Your page about the data breach is not secure... pic.twitter.com/Zfm46BG7Sp — Steve Parker (@iSteveParker) September 6, 2018