Anyone who's ever booked a BA ticket is understandably horrified. The financial details of 380,000 people who booked flights, or paid to change a booking, between 22:58 BST on 21:45 August 21 and 5 September were stolen.
Only specific bookings were affected - those made on ba.com or via the BA app. BA said, "Payments made through our call centres, travel agents or online travel sites are not affected."
The carrier was at pains to say that personal data, including travel itineraries and passports, were not affected but that financial data, namely names, billing address, email address and all bank card details were. "Bank card details" turned out to be credit card numbers, expiry dates and CVV codes.
There are two stunning issues about the hack, namely that it affected bookings on the site and the app, but not those made anywhere else, and that the financial data included CVV numbers, the three of four numbers on a card which act as a second layer of security to validate a transaction.
This is a number which are not supposed to be kept by the merchants and which BA says it does not do. Wired quotes RiskIQ threat researcher Yonathan Klijnsma: "The British Airways attack we see as...they [Magecart, widely speculated as the culprit] setting up specialized infrastructure mimicking the victim site...The attack doesn't necessarily involve penetrating an organization's network or servers, which would explain how hackers only accessed information submitted during a very specific timeframe, and compromised data that British Airways itself doesn't store."
Wired said, "It's normal for an app's functionality to be based in part on existing web infrastructure, but the practice can also create shared risk."
What happened can probably be attributed to the airline not updating a connection or script. The fingers are pointed straight at IAG's obsession with cost-cutting and its lack of investment in technology infrastructure in particular.
BA's focus on profit through cost-cutting might be at a high price.
GDPR regulations are now in force. Any data breaches must be disclosed within 72 hours and the organisation is liable to be fined. The fine can be up to 4% of global revenue which in the case of BA is about £500 million.
The cost to the travel buying community is of a different order.
Although GDS bookings were not affected, many corporate travellers do book online and indeed have been incentivised to do so through initiatives such as the BA-Concur partnership.
Many corporate travellers have been encouraged to take responsibility for their own travel and use the app if their itinerary changes and a new booking becomes necessary.
If a business traveller has booked according to corporate travel policy and personal data is jeopardised like this, there is a duty of care issue for the company.
Travel managers should consider reviewing the T&Cs of air contracts.