British Airways is investigating the theft of customer data from its website and app over a two-week period and has urged customers affected to contact their banks or credit card providers.
The airline said around 380,000 payment cards had been compromised and it had notified the police.
In a statement it said: "The stolen data did not include travel or passport details. From 22.58 BST August 21 2018 until 21.45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline's app were compromised. The breach has been resolved and our website is working normally.
"British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.
"We have notified the police and relevant authorities."
The data theft, one of the most serious to hit a UK company, deals another blow to BA’s reputation. In May last year, the airline suffered an IT disaster when a power surge in its control centre near Heathrow caused a global flight interruption and left tens of thousands of passengers stranded, most notably at the London airports. Smaller glitches have recurred, with dozens of short-haul flights cancelled again this July.
Although BA and the airline group that owns it, IAG, have denied the issues were connected to a decision to outsource IT operations, the latest breach will raise further questions.
The National Crime Agency said: “We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action.”
A spokesman for the Information Commissioner’s Office said it would be making inquiries about the data theft.
Alex Neill of Which? said: “British Airways customers will be concerned to hear about this data breach. It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”
BA could also potentially face swingeing fines should it be found negligent, under new general data protection regulations. The rules now in force could see a drastic escalation in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues – which in BA’s case spells an upper limit of £500m.
Rob Burgess, editor of UK frequent flyer website www.headforpoints.com, said: “Data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated. Unfortunately, this is likely to be another PR disaster for British Airways, especially as it includes tickets bought in their September sale which is being widely promoted at the moment.”