Last month British Airways confirmed customer data was accessed from its website and mobile app at the height of summer with 380,000 card payments being compromised.

But today, it said hackers may have stolen additional personal data from 185,000 customers making reward bookings between 21 April and 28 July 2018.

This includes 77,000 card holders who may have had their name, billing address, email address, card payment information such as card number, expiry date and CVV potentially compromised.

British Airways will also be contacting 108,000 customers who may have had their details accessed, excluding their payment card CVV.

It added that while there’s no conclusive evidence that data was removed, it’s urging customers to contact their bank or card provider as a precaution. Customers who aren’t contacted by British Airways by 5pm on Friday 26 October don’t need to take any action.

The airline also said that of the 380,000 payment card details initially identified last month, 244,000 were affected but it has had no verified cases of fraud.

A statement read: “We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.”

‘Hugely embarrassing for British Airways’

Simon Migliano, head of research and cyber security expert at Top10VPN.com, said the latest update is hugely embarrassing for British Airways, which has been reeling since the hack was first announced in September.

“Credit card details and supporting personal information may have already been sold on the dark web, but because this information has no clear tie to BA as the source, it’s impossible to track.

“We know from recent research that the type of information stolen from BA continues to be the most popular and lucrative sold on the dark web, going for over £50 an item.

“BA might have moved quickly to shore up its own cyber security but customers will feel the pain for months.”