British Airways (BA) has been hacked, with personal and payment details of its customers stolen, the company reported late Thursday.

An estimated 380,000 customers who made bookings over a two-week period between August 21 and September 5 are affected.

In a public announcement this morning, the airline posted: “We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.”

The company added: “From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings and changes on our website and app were compromised. The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.”

BA Hacked: Airline Pledges Reimbursements

BA said: “If you believe you have been affected by this incident, then please contact your bank or credit card provider and follow their recommended advice. Please check back here for further updates, we will be updating this page.”

Ilia Kolochenko, CEO of web security company, High-Tech Bridge, said in an emailed statement: “It is too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins.”

“Shadow IT and legacy applications are a plague of today. Large organizations have so many intertwined websites, web services and mobile apps that they often forget about considerable part of them. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.”

“Web applications are the Achilles’ heel of modern companies and organizations. Lawmakers make their lives even more complicated, as for example with GDPR, many organizations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented.”

BA added: “Every customer affected will be fully reimbursed and we will pay for a credit checking service. We take the protection of our customers’ data seriously, and are very sorry for the concern that this criminal activity has caused” BA said.

To be updated.