UK budget airline Easyjet has been hit by a “sophisticated” cyberattack exposing the email addresses and travel details of over nine million customers.
The airline said that the credit card details of 2,200 customers have also been exposed. Passport details have not been affected.
According to the airline, customers whose credit card details have been affected have already been contacted, and the nine million others will be informed before 26 May.
In a statement, Easyjet said:
“There is no evidence that any personal information of any nature has been misused, however .. we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
Easyjet cyberattack risks customer personal data
The airline became aware of the attack in January and said that it has now “closed off this unauthorised access”.
Easyjet said that it was currently working with the Information Commissioner’s Office (ICO) and National Cyber Security Centre.
Jake Moore, Cybersecurity Specialist at ESET said that customers affected should act fast to ensure that their details are secured:
“The biggest problem for EasyJet now is to get this information out to all their customers and make them safe. When the security notification first pops up, the procrastinators will forget about it, and think it won’t happen to them. However, when something like this occurs, the truth is that money can be stolen, and large amounts too,” he said.
“For those people who have fallen victim to this attack, it would be a good idea to use the card monitoring service offered, or better still cancel the card that was used. Once card information like this is stolen, it’s a race against time for the criminals to start using it before the owner is notified and cancels it. Much of this information is sold on the dark web, with higher prices closest to when the breach occurred.”
Cyberattack comes as aviation battered by coronavirus
The attack comes at an unprecedented time for the aviation industry, with airlines currently dealing with grounded flights and processing customer refunds due to the ongoing Covid-19 pandemic. On 30 March Easyjet grounded its planes, with “no certainty of the date for restarting commercial flights”.
Last year, British Airways was handed a fine for nearly $230 million for a 2018 data breach, the largest fine issued under GDPR.
Darren Wray, CTO of UK-based data privacy start-up Guardum said companies should be prepared for attacks such as this, particularly during the current situation.
“Another major breach of personal information from an airline is not what anyone wants, especially with the current state of the airline industry. The reference to sophisticated hackers is an unusual phrase, which may be rolled out in part as a partial defence as these days there really isn’t any other types of hacker. Companies, no matter how big or small, must assume that sophisticated hackers have them in their targets,” he said.
“Companies must implement strong processes and procedures to ensure they are only collecting the personal information that they need and ensure that they have a strong and well-tested incident response process. In addition, they must invest in the tools and staff to ensure that personal data is protected at all times as well as securely deleting or redacting when it is no longer needed
“It is really important for CEOs and board members to be asking the questions of their data protection and information security teams to ensure that their businesses are protected, this is particularly important when business processes have had to be changed to deal with the changes in working practises caused by the Covid pandemic.”