British Airways has made significant revisions to its account of how many payments may have been compromised in a card-skimming breach the airline reported last month. Additional incidents have been discovered, but the original reported exposure was smaller than announced, the company said.
The company said on Thursday that it identified an additional window of time when payments were exposed by hackers, and is freshly notifying about 185,000 affected accounts. Of the new number, the airline says that 77,000 card holders had basic billing information as well as card number, expiration date and CVV (the security code usually on the back of the card) exposed. The other 108,000 did not have the CVV exposed.
The airline says the newly identified incidents involve rewards bookings between April 21 and July 28. Those dates are separate from British Airways’ initial disclosure last month.
British Airways said at the initial disclosure in September that it notified 380,000 customers of the potential compromise of their payment information between Aug. 21 and Sept. 5. The good news, all things considered, is that the airline British Airways now says that only 244,000 of the original 380,000 were affected.
“Crucially, we have had no verified cases of fraud,” the company said.
The announcement is about exposure of data, British Airways stresses, and does not necessarily mean that hackers exfiltrated anything they could use.
“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” the airline said.
The company said the reason for the delay in reporting the new developments is that it has been conducting “a complex investigation with specialist cyber forensic investigators, and working closely with the [U.K.] National Crime Agency.”
After British airways came out with its first announcement in September, cybersecurity company RiskIQ implicated Magecart, a loosely associated set of hacking groups that generally conduct card-skimming, in the breach.