The chief executive of British Airways has promised to compensate customers who have had their data stolen in what he described as a sophisticated breach of the company’s security systems.
Álex Cruz apologised on Friday after it was revealed that about 380,000 payment cards had been compromised after a theft of data from the BA website and app over a two-week period.
“The first thing to say is that I am extremely sorry for what happened,” Cruz said on the BBC Radio 4 Today programme. “We will work with any customer affected and we will compensate any financial hardship suffered.”
Shares in the owner of BA, IAG, fell nearly 3% on Friday morning as investors weighed the impact of the hack on ticket sales.
The breach took place between 10.58pm BST on 21 August and 9.45pm on 5 September. The airline said personal and financial details of customers making bookings had been compromised.
Cruz said the attack had not been a breach of encryption but it was a “sophisticated” effort by criminals. He said he would not go into much detail about the nature of what happened because the police were investigating.
The data theft, one of the most serious to hit a UK company, deals another blow to BA’s reputation. The airline experienced an IT disaster last year when a power surge in its control centre near Heathrow caused a global flight interruption and left tens of thousands of passengers stranded, most notably at London airports.
Cruz said the company was operating profitably and would expand its services and customer care. “We will get through this.”
He said BA had a network of partners that monitored websites around the world. A partner alerted the airline to the cyber-attack on 5 September and an investigation was launched. “The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers,” Cruz said.
The airline placed advertisements in newspapers on Friday apologising for the breach.
The Information Commissioner’s Office is investigating the breach and the airline could potentially be fined.