British Airways said that the personal and financial details of customers making bookings between August 21 and September 5 had been stolen in a data breach involving 380,000 bank cards.
The almost two week long hack did not involve travel or passport details, the airline said, adding that it had launched an urgent investigation into the theft of customer data.
“The personal and financial details of customers making bookings on our website and app were compromised,” it said. “The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.”
BA said the breach took place between 2158 GMT on August 21 and 2045 GMT on September 5 and that around 380,000 payment cards were compromised.
BA advised anyone who believed they may have been affected to contact their bank or credit card provider and follow their recommendations.
In terms of compensation, BA said they would be in touch with customers “and will manage any claims on an individual basis.”
“We are deeply sorry for the disruption that this criminal activity has caused,” the airline said.
It said customers due to travel could check in online as normal as the incident had been resolved.
BA customer Daniel Willis, 34, who booked a flight on Monday with the airline, said he had not been contacted by the airline despite being affected by the data breach.
“I’ve not heard anything from them on this and I’ve just had to cancel the card I used. They’re a shambles,” he told the Daily Telegraph newspaper.
Another BA customer, Stephanie Jowers, said she contacted the airline hours before the hack was announced to query a suspicious charge on her account but was not informed it could have been compromised.
“I asked repeatedly for an explanation. None was given,” she told the Daily Telegraph.
Past IT issues
The National Crime Agency said: “We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action.”
The NCA is set up to tackle the most serious and organised crime posing the highest risk to public security in Britain.
BA apologised in July after technology issues caused dozens of its flights to and from London Heathrow Airport to be cancelled.
The airline said the problem was down to an incident with an IT system.
And in May 2017, British Airways suffered a major computer system failure triggered by a power supply issue near Heathrow which left 75,000 customers stranded.
IAG, which owns British Airways and Spanish carrier Iberia, said last month that first-half profits more than doubled.
Earnings after taxation flew to 1.4 billion euros ($1.6 billion) in the first six months of 2018 compared with 607 million euros a year earlier, IAG said in a results statement.
The London-listed group, which is also the owner of Irish airline Aer Lingus and Spanish carrier Vueling, added that total revenues swelled three percent to 11.2 billion euros.
BA announced last month that it will halt flights to Tehran in September, citing low profitability as the US reimposes sanctions on Iran.