British Airways reveals a further 185,000 users affected in fresh data hack

British Airways owner International Airlines Group today said an investigation into September's data breach has revealed a further 185,000 users had been affected in an earlier hack on its website.

An internal investigation uncovered a second hack which showed the financial details of another 77,000 payment cards were potentially compromised, including their card number, expiry date and CVV, as well as a further 108,000 cards without the CVV.

The earlier breach affected British Airways customers making reward bookings between 21 April and 28 July this year using a payment card.

However the firm also revised down its initial estimates of customers originally identified in the breach on 6 September, from 380,000 to 244,000. The total number of users affected in both hacks now stands at 429,000.

The airline said it had not been notified of any verified cases of fraud as a result of the hack.

The firm said in a stock market filing: “While British Airways does not have conclusive evidence that the data were removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

Matt Middleton-Leal, EMEA general manager for IT security firm Netwrix, said: "The ease at which the hackers were able to insert malicious code into the BA website is a significant concern. The type of attack, known as cross-site scripting, is not new in any way.

"It relies on a poorly designed website which can then be altered to harvest data for the hacker. If organisations do not test their public facing applications regularly and protect the data they capture and store these embarrassing leaks will continue."

Despite the news, shares in IAG closed more than three per cent up.