British Airways is notifying an additional 185,000 passengers that their card details may have been stolen in a recently revealed Magecart digital skimming attack on its website and app.
The airline revealed in a statement on Thursday that the website-related breach discovered in September actually affected an extra 77,000 customers — with name, billing address, email address and card details including number, expiry date and CVV potentially accessed. It also hit another 108,000 customers who had the same data taken except for their card CVV.
These customers made reward bookings between April 21 and July 28, 2018, widening the time frame in which hackers had access to card data. Originally it was thought that the malicious Magecart skimming code was inserted on August 21 and sat there exfiltrating passenger card details for 16 days.
The statement implies the same actors are behind this April-July breach.
“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” BA continued. “Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.”
BA also revealed that its original estimate of 380,000 payment card details affected in the incident was too high, and that 244,000 were actually compromised. That means the total as it stands today is nearly half a million.
The airline reiterated its commitment to reimburse any customers who suffer financial losses as a result of the incident, and to offer credit monitoring to those who want it.
The firm also trumpeted the fact that there have so far been “no verified cases of fraud” as a result of the incident.
However, experts claimed that this statement should not reassure customers.
"Credit card details and supporting personal information may have already been sold on the dark web, but because this information has no clear tie to BA as the source it's impossible to track,” argued Simon Migliano, head of research at Top10VPN.com.
Jason Rebholz, senior director of strategic partnerships at Gigamon, added that until BA has completed its investigation, the full impact of the breach is unlikely to be known.
“Investigations into security incidents can take a lot of time,” he argued. “It is important that organizations have as complete information as possible when they go public, otherwise they will face a backlash when they have to continually modify their statements.”