The credit card details of 380,000 British Airways customers could already be on sale on the internet after the airline suffered a “malicious” data breach, experts have warned.

Customers were scrambling to change their credit card details on Friday, after BA said it was investigating the theft of passengers’ financial data from its website and app over a two-week period between 21 August and 5 September. The airline said it would compensate passengers for any losses, signalling the potential for large payouts, given the number of customers affected.

But cybersecurity experts said the customer information, including key security data such as the three-digit CVV code on the back of credit cards, might already have been traded on the dark web, a secretive layer of the internet frequently used by criminals. Paul Lipman, chief executive of cybersecurity company Bullguard, said customers’ credit data was “almost certainly up for sale on the dark web as we speak”.

One analyst said the stolen data would be worth more than £20m, based on the going rate for credit card details on illicit websites.

Lawyers said the company could also be hit with a class-action lawsuit from passengers if it was found to have failed to protect their personal data properly.

The National Crime Agency, which is leading the investigation, said its officers were working with BA and that affected customers should now be on the lookout for a wave of “opportunistic” follow-up scams by fraudsters seeking personal data from people affected by the data breach.

The online theft saw details stolen including name, email address and credit card information, including the CVV code. BA has said that its encryption was not breached but that the hackers used other “very sophisticated” methods. Cybersecurity experts speculated that the inclusion of CVV numbers meant that hackers had copied customers’ data as they were typing it into the BA website, rather than stealing it from a database.

Experts have pointed to the dark web as one possible destination for the data. The dark web is a term for corners of the internet, often accessible using certain software or encryption techniques, used by criminals for purposes such as clandestine drug sales or trading in personal data.

Simon Migliano, head of research and cybersecurity expert at the online privacy website Top10VPN.com, said BA customers’ data could be worth £21.5m, based on an estimate of the average cost criminals are willing to pay for credit card details.

“This serious security breach at BA could be sending the dark web into a frenzy,” he said. “Financial information is extremely valuable and highly desirable and our Dark Web Market Price Index shows that credit card details can sell for £56.50 each.

BA could also face a class-action lawsuit from customers if it has failed to protect their data, according to the data privacy lawyer Nick McAleenan of JMW Solicitors.

“The question of whether BA’s system is up to scratch is the key issue,” said McAleenan, who is representing employees of the supermarket chain Morrison’s in a class action after they were subjected to a data breach.

“If it can be demonstrated that they didn’t have technical and organisational measures in place to prevent hackers getting access, you’ve got the makings of a data protection claim.”

He said victims would not necessarily have to show financial loss but could claim based on the loss of their data alone, as well as the inconvenience and upset caused.

The airline could also be fined hundreds of millions of pounds by the Information Commissioner’s Office (ICO), which can impose penalties of up to 4% of turnover under new EU rules governing data protection. If the maximum were applied to BA, it could face a fine of £488m, but if the percentage were applied to the parent company, International Airlines Group, the amount could snowball to £825m.

BA’s chief executive, Alex Cruz, said customers would not be left out of pocket if the breach led to fraudulent transactions on their bank accounts. “The first thing to say is that I am extremely sorry for what happened,” Cruz said on the BBC Radio 4 Today programme. “We will work with any customer affected and we will compensate any financial hardship suffered.”

Shares in BA’s parent company IAG have fallen by 1.5% since it revealed the breach on Thursday night, wiping £120m off the stock market value of the company, as investors digested the potential impact on its finances and customer demand.

Just a month after the new EU rules on data came into force – General Data Protection Regulation, or GDPR – members of BA’s frequent flyer programme received an email reassuring them about the security of their information.

“Your personal information is in safe hands with British Airways,” the email read. “We want you to know you can trust us to respect your privacy and keep your personal information safe.”