As we have already reported around two months ago, the well-known British Airways company was investigating a data security breach in its customers' bank cards details during September. When in early September AMATAS followed this hacker attack, according to official information, the victims were 380,000 people. But now it turns out that their number is extended by 77,000.

"The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date, and CVV have potentially been compromised, and a further 108,000 without CVV," the official statement released by British Airways said.

"The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card."

In addition, the official statement also said that the company is in the process of notifying the affected customers, but if a customer has not received a message by the end of the working day on October 26, there is no reason to worry.

The hacker attack against British Airways was committed by cybercriminals who have added a malicious MageCart script to a third-party javascript library called Modernizr.

As Modernizr has been used by the British Airways website and the malicious script has been able to collect and steal the bank cards data used, as well as the complete information about the payments made with these cards.

All data stolen by the hackers have been sent to a remote server controlled by those cybercriminals.

Regarding the Modernizr hacked library, the investigation has found that the size of the affected customers was different from the one initially reported during September.

"Crucially, we have had no verified cases of fraud," British Airways said in the official statement. Cybersecurity experts, however, understand the most important issue of this cybersecurity incident of client data very differently. A similar breach in the bank customer data security of such a large airline company carries an extremely high risk of subsequent serious crimes and financial abuse. In addition, there is obviously a failure to justify society trust in British Airways. People gave to the company a tremendous amount of bank and personal data to operate and store, and the company has not taken the necessary measures to ensure their security.

Further, it would be interesting to know the fine that will be imposed on the airline after the entry into force of the new European General Data Protection Regulation (GDPR). Moreover, in Austria a few days ago, the first fine was imposed on GDPR requirements, so obviously the regulation is already being implemented in practice. That is why AMATAS' specialists remind you that the responsibility for the protection of the stored personal data lies with every company operating on the European market regardless of the size of the business. For this reason, we advise you to pay close attention to the security of the data that your company records. Exclusively rely on authorized companies to perform professional security checks and take the necessary measures to ensure that your data is not accessible to outsiders.

Photo: Computerworld UK