Last Thursday, International Airlines Group, the owner of British Airways, said that an investigation into the data breach in the company last September has revealed that another 185,000 users had been affected during an earlier hack on its website.
An internal investigation revealed a second hack which exposed the financial information of another 77,000 payment cards that were potentially compromised, including their card number, CVV and expiry dates, as well as another 108,000 cards without the CVV.
The earlier breach affected the customers of British Airways who are making reward bookings during the period between the 21st of April to the 28th of July this year using a payment card.
However, the company also trimmed down its initial estimates of customers who were originally identified in the breach on the 6th of September, from 380,000 down to 244,000. The total number of users who were affected in both hacks currently stands at 429,000.
The airline said that it had not been notified regarding any verified cases of fraud as an outcome of the hack.
In a stock market filing, the firm disclosed: “While British Airways does not have conclusive evidence that the data were removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”
The European regional manager for IT security company Netwrix, Matt Middleton-Leal, stated: “The ease at which the hackers were able to insert malicious code into the BA website is a significant concern. The type of attack, known as cross-site scripting, is not new in any way.”
He added: “It relies on a poorly designed website which can then be altered to harvest data for the hacker. If organisations do not test their public facing applications regularly and protect the data they capture and store these embarrassing leaks will continue.”
Despite the news, the shares in IAG closed with a more than three percent increase.