Hackers who stole the details of nearly 244,000 British Airways customers in a cyber attack could have raised £9.4million ($12,188 M) for Russian criminals, it has emerged.
Cyber security experts found the stolen credit card details were put up for sale online for between £6.94 ($8.97) and £38.58 ($49.87).
Magecart, a Russian-linked criminal group, is said to be behind the data breach in August in which 380,000 payments were initially thought to be compromised. The breach was detected 16 days after it began.
A British Airways investigation last month found that 244,000 cards were affected. Vitali Kremez, director of research at security firm Flashpoint, said criminals sold some details for higher prices because certain European cards were considered more valuable, The Daily Telegraph reported.
Experts said Magecart was one of the major vendors of compromised payment information online. It put the credit cards up for a sale a week after the hack, under adverts titled ‘CVV2 Dumps Update (high valid)’.
The hackers boasted of having the details of passengers from countries including the UK, US, Germany, Italy, Spain, Canada, France, Korea, Mexico, Argentina, Brazil and China.
The criminal group, which has run since 2015, has also targeted other major companies, including concert tickets website Ticketmaster.
The BA data breach dealt a huge blow to the airline’s reputation for customer service.
BA chief executive Alex Cruz said at the time: ‘We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.’
Customers flooded the airline with criticism on social media, with many slamming BA for failing to contact them directly about the breach.
One tweeted: ‘Idiots. So as an executive club member they have my card details, my passport, tel, email etc. All because you outsource IT to joke places to save money.’
Alex Neill of Which? said: ‘It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take.’
The month before the hack, BA owner International Consolidated Airlines Group said profits had hit £989million ($1,282 M) for the first half of the year. BA raked in £780million of that sum.
The hack is significant because the scale of the payment information is almost unprecedented in the UK.
Telecoms firm TalkTalk was handed a record £400,000 ($517,078) fine by the Information Commissioner’s Office in 2016 when data from 156,959 customers was leaked the previous year, but financial information from just 15,656 was accessed.
Banks are legally obliged to refund customers who have had money fraudulently taken from their account.
A spokesman for BA said: ‘As soon as we discovered the data theft, we immediately contacted all affected customers to recommend they contact their banks to cancel or provide extra protection to their cards.
‘We have had no verified cases of fraud since the incident.’
This article has been adapted from its original source.
© Associated Newspapers Ltd.