British Airways customers have been left cancelling their credit cards after a 15-day data breach that compromised around 380,000 card payments.
The airline admitted that “criminal activity” had compromised the personal and financial details of customers who had made bookings on its website or app from 11pm on August 21 to 9:45pm on Wednesday.
The National Crime Agency and National Cyber Security Centre are accessing the breach, alongside BA itself.
Shares in British Airways owner IAG were down over 4 percent shortly after the London Stock Exchange opened, before settling 2 percent lower.
BA said on Thursday evening: "British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline's mobile app. The stolen data did not include travel or passport details.
"The breach has been resolved and our website is working normally."
‘Sophisticated and malicious’
Alex Cruz, BA's chairman and chief executive, said it was "deeply sorry for the disruption that this criminal activity has caused".
He said: "We take the protection of our customers' data very seriously.”
Mr Cruz said BA had "hundreds" of people communicating with customers "making sure that we can help to protect that data".
He told the BBC on Friday morning that the attack was "sophisticated" and "malicious".
He said: "There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work.
"We didn't know exactly (the) extent of the work, so overnight, the teams were trying to figure what was the extent of the attack."
The incident comes after an IT meltdown caused huge disruption for BA passengers at the start of the May half-term holiday.
Some 75,000 passengers were left stranded after a glitch forced the airline to cancel nearly 726 flights over three days.