British Airways was warned by IT experts that it was vulnerable to a hack in which criminals could steal customers’ card details earlier this year, it has been claimed.
The airline announced on Thursday that it had suffered a major hack compromising the bank card information of around 380,000 customers.
Due to strict new data protection laws British Airways is now facing a fine of up to £897m, or 4 percent of its parent company’s turnover, if regulators find it has not done enough to keep customer data safe.
The Telegraph can reveal that last year the airline failed an industry standard for consumer data protection, which is required by card providers Visa and Mastercard for all companies accepting, transmitting or storing any cardholder data.
The standard, called the Payment Card Industry Data Security Standard, is a set of security standards designed to ensure that companies which accept, process, store and transmit credit card information keep it secure.
British Airways said it had a number of fully operational monitoring tools which it used to check for suspicious activity. It added that the Standard related to the protection of customer accounts, none of which were compromised during the attack.
An IT expert told this newspaper they had warned British Airways it was vulnerable to being hacked, accusing it of “sticking its head in the sand” over the state of its IT systems. British Airways denied it received any such warnings.
Derwyn Jones, chief executive at payment provider Ultracomms, said: “This latest breach is a serious wake-up call, particularly to the travel industry, that we live in a new era of sophisticated hacking where no company is invulnerable.”
The airline admitted “criminal activity” had compromised the personal and financial details of customers who made bookings on its website or app from just before 11pm on August 21 until 9.45pm on Wednesday.
British Airways confirmed Friday morning that hackers had obtained names, addresses, credit card numbers, expiry dates and the three-digit security codes on the backs of cards, enough for them to make fraudulent payments.
Furious British Airways customers have been left having to cancel their credit cards with many reporting they had money taken from their accounts and rogue direct debits set up in their names.
Alex Cruz, British Airway’s chairman, revealed the hackers were “very sophisticated criminals” who had not hacked the company’s encrypted data, but rather gained “illicit access” to the airline’s system.
This meant the breach went unnoticed for more than two weeks, he claimed. The National Crime Agency and National Cyber Security Centre are also investigating the hack.
An ICO spokesman said: “British Airways has made us aware of an incident and we are making enquiries.”
The NCA warned that fraudsters could piggyback on the incident in a bid to con people out of money. A spokesman said: “We know that ’opportunist’ criminals often use incidents like this to conduct secondary fraud attacks.
British Airways has said all customers will be compensated for losses as a result of the hack.