International Consolidated Airlines Group (ICAGY , the parent company of British Airways, said Friday that a "sophisticated criminal attack" on its computer systems led to the theft of personal data from at least 380,000 customers, sending shares sharply lower in early London trading.
British Airways said the cyber attack, which was first discovered late Wednesday, occurred between August 21 and September 5 and affected both its main customer website as well as its mobile booking app and was the most significant breach for the company in at least 20 years. The group said it would compensate people who lost money as a result of the hack, but insisted that no passport details were compromised during the attack.
"We are deeply sorry for the disruption that this criminal activity has caused," said CEO Alex Cruz. "We take the protection of our customers' data very seriously.
IAG shares were marked 3% lower by mid-day in London trading and changing hands at 660.8 pence each, a move which trim's the stock's year-to-date gain to just 1.7%.
"British Airwaysis communicating with affected customers and the airline advises any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice," the company said in a statement Friday. "British Airways has notified the police and relevant authorities."
The data breach is the second major tech-related incident under the tenure of CEO Cruz, who had to manage a global IT failure in the spring of 2017 that caused the cancellation its entire flight schedules for both Heathrow and Gatwick airports on one of the busiest days of the year for British holidaymakers.
IAG, which also owns regional carriers Aer Lingus, Iberia and Vueling, said that IT failure, which stranded some 75,000 passengers, ultimately cost the group around £58 million in compensation payments.