British Airways planes. Picture: REUTERS
British Airways planes. Picture: REUTERS

London — British Airways (BA) will financially compensate customers whose data was stolen in a "sophisticated" and "malicious" hack, CEO Alex Cruz said on Friday as he apologised for the fiasco.

Late on Thursday, BA revealed that personal and financial details of customers who booked flights on the group’s website and smartphone app between August 21 and Wednesday August 29 had been stolen. The revelation comes just a few months after the EU tightened data protection laws.

"We’re extremely sorry for what has happened," Cruz told the BBC on Friday. "There was a very sophisticated, malicious, criminal attack on our website."

BA took out full-page adverts in UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than 3% in London deals.

"We are 100% committed to compensate them," Cruz said. "We will compensate them for any financial hardship that they may have suffered."

BA said it had launched an urgent investigation after realising that about 380,000 bank cards used to book its flights had been hacked. The stolen data comprised customer names, postal addresses, e-mail addresses and credit card information. However the 15-day breach did not involve travel or passport details and has been fixed, the airline added.

"The moment we found out [on Wednesday] that actual customer data had been compromised, that’s when we began an all-out immediate communication to our customers. That was our priority," Cruz said.

However Enza Iannopollo, privacy and security analyst at advisory group Forrester, said BA could have done better on informing those affected. "If the timeline is confirmed and BA became aware of the breach on the evening of September 5, then they have done their breach notification on time, which is of course a good thing," she said in a statement.

"However, customers are obviously not impressed about BA breach-management at present. Some discovered it on social media, others reported wasting hours on the phone with their bank, everyone expects more from a company that truly cares about its customers."

"Terrible handling of the situation," tweeted one affected customer, Mat Thomas.

Iannopollo told AFP it was too early to know whether BA would be fined over the affair. "Regulators will assess the circumstances of this breach consistently with the General Data Protection Regulation (GDPR) requirements," she said, referring to the EU’s regulation that came into force in May.

Britain’s National Crime Agency said it was assessing the matter, while the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), will make its own enquiries. "The ICO will do its assessment and investigation to determine whether to levy a fine or impose any enforcement action, but this will take some time and it might be that the regulator determines that rules were not breached," Iannopollo said.

At about 11am GMT, shares in IAG, which also runs Spanish carriers Iberia and Vueling as well as Irish airline Aer Lingus, were down 3.5% at 657.60p on London’s benchmark FTSE 100 index, down 0.8% overall.

Noted Russ Mould, investment director at AJ Bell: "Today’s news is a reminder of just what a hot issue cyber-security remains and the importance of companies having the right protections in place to mitigate the risk posed by attacks."