British Airways will financially compensate customers whose bank card data were stolen in a "sophisticated" and "malicious" hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.
BA late Thursday revealed that personal and financial details of about 380,000 customers who booked flights on the group's website and mobile phone app between August 21 and Wednesday had been stolen.
The revelation comes just a few months after the European Union tightened data protection laws with the so-called General Data Protection Regulation (GDPR).
"We're extremely sorry for what has happened," Cruz told the BBC on Friday.
"There was a very sophisticated, malicious, criminal attack on our website."
BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.
"We are 100 percent committed to compensate them," Cruz said.
"We will compensate them for any financial hardship that they may have suffered," he told the broadcaster.
BA said it had launched an urgent investigation after realising that bank cards used to book its flights had been hacked.
The stolen data comprised customer names, postal addresses, email addresses and credit card information.
However the 15-day breach did not involve travel or passport details and has been fixed, the airline added.
- Regulators investigate -
"The moment we found out (Wednesday) that actual customer data had been compromised, that's when we began an all out immediate communication to our customers. That was our priority," Cruz said.
However Enza Iannopollo, privacy and security analyst at advisory group Forrester, said BA could have done better on informing those affected.
"If the timeline is confirmed and BA became aware of the breach on the evening of September 5th, then they have done their breach notification on time, which is of course a good thing," she said in a statement.
"However, customers are obviously not impressed about BA breach management at present. Some discovered it on social media, others reported wasting hours on the phone with their bank, everyone expects more from a company that truly cares about its customers."
"Terrible handling of the situation," tweeted one affected customer, Mat Thomas.
Iannopollo told AFP that it was too early to know whether BA would be fined over the affair.
"Regulators will assess the circumstances of this breach consistently with GDPR requirements" that came into force in May.
Britain's National Crime Agency said it was assessing the matter, while the UK's data protection watchdog, the Information Commissioner's Office, will make its own enquiries.
"The ICO will do its assessment and investigation to determine whether to levy a fine or impose any enforcement action, but this will take some time and it might be that the regulator determines that rules were not breached," Iannopollo said.
About 1100 GMT, shares in IAG, which also runs Spanish carriers Iberia and Vueling as well as Irish airline Aer Lingus, were down 3.5 percent at 657.60 pence on London's benchmark FTSE 100 index, down 0.8 percent overall.
"Today's news is a reminder of just what a hot issue cyber security remains and the importance of companies having the right protections in place to mitigate the risk posed by attacks," noted Russ Mould, investment director at AJ Bell.
GDPR meanwhile establishes the key principle that individuals must explicitly grant permission for their data to be used.
The case for the new rules had been boosted by a scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.