British Airways provided an update to a previously disclosed data breach that occurred between August 21, 2018 and September 5, 2018 on their website, ba.com, and mobile app.
The breach was first reported on August 6 and later revealed 380,000 customers may have been impacted.
“The stolen data included personal and financial details of customers making bookings and changes on ba.com and the airline’s app. The data did not include travel or passport details,” British Airways stated on their website.
The company also warned users to be wary of fraudsters sending out phishing emails, looking to steal your personal information. In addition, multiple frequently asked questions with answers were also provided.
Security firm RiskIQ posted a blog on Tuesday that the breach could have been the result of a criminal group Magecart cyberattack.
The group likely placed malicious payment card skimming code on the airline’s payments web page, according to RiskIQ.
RiskIQ further warned the Magecart attack against British Airways does raise a question of payment form security:
“Companies, especially those that collect sensitive financial data, must realize that they should consider the security of their forms—but also the controls that influence what happens to payment information once a customer submits it.”