British Airways says it is investigating “as a matter of urgency” the theft of customer data from its website and mobile app.
The airline said personal and financial details of customers making bookings had been compromised.
About 380,000 transactions were affected, but the stolen data did not include travel or passport details.
BA said the breach took place between 22:58 BST on 21 August and 21:45 BST on 5 September.
“The breach has been resolved and our website is working normally,” BA said in a statement
“We have notified the police and relevant authorities. We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
BA said all customers affected by the breach had been contacted on Thursday night.
It added that anyone who believed they might have been affected should contact their bank or credit card provider and follow their recommendations.
Alex Cruz, British Airways’ chairman and chief executive, said: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
The airline has taken out adverts apologising for the breach in Friday’s newspapers.
The National Crime Agency and National Cyber Security Centre confirmed they are assessing the incident.
Consumer group Which? said people concerned they could be at risk should consider changing their online passwords, monitor bank and other online accounts and be wary that fraudsters may refer to the breach in scam emails. BBC NEWS