British Airways today announced the theft of customer data from its website and mobile app.

Customers who used the airline’s website and mobile app to make reservations between August 21 and September 5 are affected by the incident.

The airline is lacking details at the moment as the investigation is ongoing and it is too early to assess the damage. They put an end to the breach and informed the relevant authorities.

Travel and passport information is unaffected, according to the air carrier, but the personal and financial details of 380,000 customers have been viewed by an unauthorized party.

“We will contact affected customers directly to let them know what has happened and advise them to contact their banks or credit card providers and follow the recommended advice,” British Airways said in a statement.

All operations are proceeding normally for now, but users are advised to change their passwords and choose a unique and strong one. The airline also recommends that affected customers call their bank and follow their instructions, to minimize potential financial damage.

To make sure their post reaches a large chunk of its customers, British Airways pinned the announcement of the breach to its Twitter page, so that all of its 1.17 million subscribers could see it.

We are urgently investigating customer data theft on our website and mobile app. For more information, please click on the following link: https://t.co/2dMgjw1p4r

– British Airways (@British_Airways) September 6, 2018

“We are deeply sorry for the disruption caused by this criminal activity. We take the protection of our customers’ data very seriously, ”said Alex Cruz, Chairman and CEO of British Airways.

Publicly announcing the incident in this way is not only a good method of informing customers, but it can also help the air carrier get a lower fine from the UK data protection watchdog, the Information Commissioner’s Office (ICO).

This decision also complies with the provisions of the GDPR, which requires organizations in the UK to report certain types of personal data breach to ICO within 72 hours of becoming aware of the incident.

If the violation affects the rights and freedoms of individuals, they should also be notified without delay. If the organization cannot identify those affected by the violation, it would make sense for a public announcement of this magnitude to count as a notification.

British Airways is not alone

A similar incident was reported by Air Canada on August 28. The mobile app’s data had been accessed without authorization for a two-day interval, forcing the company to lock all of its 1.7 million accounts.

20,000 customers were affected by this incident. The intruder could at least steal the owner’s name, email address and phone number, as this is the information required for the mobile app’s account.