British Airways owner IAG has said 185,000 further customers may have had their personal details compromised during a cyber attack.

The airline group said it was contacting two groups of customers not previously notified, as part of an investigation into a cyber breach that took place earlier this year.

Holders of 77,000 payment cards whose name, billing address, email address, card payment information - including card numbers, expiry date and card verification value (CVV) numbers - have potentially been compromised.

A further 108,000 customers' personal details without CVVs were also compromised, the group said.

The attack targeted people making reward point bookings and those who used a payment card between 21 April and 28 July 2018.


:: British Airways promises compensation after 380,000 hit by data breach

In September, thousands of BA customers had to cancel their credit cards after the airline admitted a 15-day data hack had compromised 380,000 payments, prompting a criminal inquiry led by specialist cyber officers from the National Crime Agency (NCA).

At the time BA chief executive Alex Cruz said the airline would compensate customers who had financial information stolen, from what he called a "malicious criminal attack".

Image: Hackers targeted BA customers' reward bookings and those using payment cards between 21 April and 28 July

The firm said today that of those 380,000 payment card details identified, 244,000 were affected by the attacks which targeted customers using the BA.com website and mobile apps to book flights between 21 August and 5 September.

"While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution," IAG said.

"Since the announcement on September 6, 2018, British Airways can confirm that it has had no verified cases of fraud."

British Airways is facing a multi-million-pound fine as a result of the data breach possibly around £500m, with the Information Commissioner's Office (ICO) also investigating the incident.

BA's data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).

Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17m or 4% of global turnover, whichever is greater.

In the year to 31 December 2017, BA's total revenue was £12.2bn, meaning the company could face a fine of around £500m if the ICO takes action.