British Airways has admitted that hackers stole the credit card details of 185,000 customers it had not previously notified.
The airline apologised last month for the theft of card details of 380,000 customers in a two-week attack on its website and app.
The airline’s parent company, International Airlines Group (IAG), said on Thursday that it was notifying another 77,000 card holders whose payment information, including security codes, may have been compromised and 108,000 customers whose card details were exposed without security codes.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” IAG said.
“Since the announcement on September 6, 2018, British Airways can confirm that it has had no verified cases of fraud.”
Cyber criminals behind the attack obtained enough credit card details to use them, and BA now faces a possible fine of around £500 million over the breach which its chief executive described as a “malicious criminal attack”.
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4% of global turnover, whichever is greater.
The data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).