British Airways has announced that personal and financial details of users who booked through the website and app have been hacked. These bookings were made in between 21 August and 5 September 2018. Details like customer names, street and e-mail addresses, credit-card numbers, expiry dates and security codes were obtained by the hackers.

While the company didn’t disclose any more details about the data leak, reports suggest that data of about 380,000 users was compromised. It remains unclear if any Indian users were effected by the hack. Reports have suggested that details stolen from the hack could have already been put on sale. The airline said that it would compensate customers who have been financially affected by the data breach.

PayPal, travel agent bookings also compromised

BA has suggested that its users contact their respective banks and credit card providers “for advice” to know if they have been affected. In case the user had used PayPal to pay for their travel, while their data had not been compromised, “there does remain the risk that some of your personal information such as your name and address may have been accessed.” Bookings made via a travel agent would also be affected in this breach.

According to a report by the Guardian, the company could be fined around a staggering $650 million. It could be fined up to 4% of its worldwide revenues if found guilty of not doing enough to protect user data under the recently implemented GDPR laws. However, if the regulator decides to fine the airlines’ parent company, International Airline Group (IAG), the penalty could further surge to as much as $1.16 billion, the Guardian reports. That apart, the airlines could also be fined by the Information Commissioner’s Office, which is looking into the breach, reports the BBC.