International Airlines Group said an investigation into the theft of customers’ data at its British Airways subsidiary showed hackers may have stolen the personal information of a further 185,000 customers.

British Airways apologized in September after the credit card details of hundreds of thousands of its customers who made bookings between Aug. 21 and Sept. 5 were stolen in the most serious attack on its website and app.

On Thursday, BA said that it was notifying the holders of another 77,000 payment cards that the name, billing address, email address, card, payment information including card number, expiry date and security codes had potentially been compromised, and a further 108,000 without the security code.

These customers were those who had made reward bookings between April 21 and July 28, 2018 and who used a payment card.

“Investigation into a cyber attack at British Airways is ongoing,” Britain’s Information Commissioner’s Office said in a statement.

British Airways also revised down its original estimate of 380,000 cards compromised in the September cyber attack, saying only 244,000 of those were affected.

This takes the total number of payment cards potentially affected by the hack to 429,000.

British Airways confirmed that it had no verified cases of fraud since the announcement on Sept. 6.

A BA spokeswoman told Reuters the airline would reimburse customers who suffered financial losses as a direct result of the data theft.

The attack came 15 months after the carrier suffered a computer system failure at London’s Heathrow airport, which stranded 75,000 customers over a holiday weekend. (Additional reporting by Sangameswaran S.)

Topics Cyber