Budget airline easyJet has admitted it has been subjected to a “highly sophisticated” cyber-attack that has compromised the data of millions of customers.
Indeed, the airline admitted that email addresses and travel details of 9 million people had been accessed. Thankfully this did not include passport data, but 2,208 people did have their credit card details stolen.
This is the latest compromise of a corporate system, and could prove to be expensive for the airline, which is already contending with the financial fallout caused by the global Coronavirus pandemic and the resulting suspension and reduction of almost all air travel.
The fact that the easyJet breach is one of the largest to affect any British company – and is likely to be causing sleepless nights for the airline’s management – has provoked an immediate response from cyber security experts.
“The biggest problem for easyJet now is to get this information out to all their customers and make them safe,” noted Jake Moore, cybersecurity specialist at ESET.
“When the security notification first pops up, the procrastinators will forget about it, and think it won’t happen to them,” said Moore. “However, when something like this occurs, the truth is that money can be stolen, and large amounts too.”
“For those people who have fallen victim to this attack, it would be a good idea to use the card monitoring service offered, or better still cancel the card that was used,” Moore cautioned. “Once card information like this is stolen, it’s a race against time for the criminals to start using it before the owner is notified and cancels it. Much of this information is sold on the dark web, with higher prices closest to when the breach occurred.”
Another expert also warned of the increased risks of phishing scams following the easyJet data breach, and to only contact the airline via the details on its website.
“EasyJet customers are now at greater risk of phishing scams following this cyberattack, and people need to be wary of emails they receive purporting to come from the airline company,” said Tim Sadler, CEO of Tessian.
“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting easyJet directly using details on their website,” Sadler warned.
“Unfortunately, it was only a matter of time before a cyber attack of this scale crippled a large organisation, and the attack should act as a warning to all organisations that no one is safe from a severe breach of data,” Sadler added. “Cybercriminals have not missed a trick to capitalise on the Covid-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time.”
“The travel industry especially has been severely impacted by Covid-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future,” Sadler said. “Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”
The potential impact on the future of easyJet was also noted by another security expert.
“Organisations continue to struggle with data breaches such as this one and they have massive implications for large organisations,” said Phillip Hay, Head of threat intelligence analysis at Mimecast.
“Firstly, there is the financial impact as a result of fines,” said Hay. “But secondly, and probably more importantly, is the reputational impact that breaches cause. Consumers trust the organisations they do business with to protect and safeguard their data. Any organisation that fails to do so will break this trust and is likely to lose business as a result.”
“To properly protect data, security teams within an organisation must assess their database security and always follow best practise,” Hay advised. “Database misconfiguration is often overlooked and so it’s crucial that IT teams understand their environment and know where the data is being stored so that they are able identify any vulnerabilities quickly and easily and issue a patch update where required.”’
“It is also advisable that organisation carry out pen testing so that they are able to identify any flags quickly,” Hay added. “It is also important to ensure staff are trained correctly so that they can be aware of basic data security principles.”
“The importance of correctly securing data cannot be underestimated,” Hay concluded. “You only need to look at organisations who have suffered from large-scale breaches previously to see the reputational impact that they have suffered.”
This hack will be the last thing that an airline wants to have to deal with at the moment, another cyber security warned, noting easyJet’s comments about sophisticated hackers.
“Another major breach of personal information from an airline is not what anyone wants, especially with the current state of the airline industry,” said Darren Wray, CTO at UK-based data privacy start-up, Guardum.
“The reference to sophisticated hackers is an unusual phrase, which may be rolled out in part as a partial defence as these days there really isn’t any other types of hacker,” said Wray. “Companies, no matter how big or small, must assume that sophisticated hackers have them in their targets.”
“Companies must implement strong processes and procedures to ensure they are only collecting the personal information that they need and ensure that they have a strong and well-tested incident response process,” said Wray. “In addition, they must invest in the tools and staff to ensure that personal data is always protected as well as securely deleting or redacting when it is no longer needed.”
“It is really important for CEOs and board members to be asking the questions of their data protection and information security teams to ensure that their businesses are protected, this is particularly important when business processes have had to be changed to deal with the changes in working practises caused by the Covid pandemic,” Wray concluded.
Meanwhile Jeremy Hendy, CEO of Skurio warned that easyJet customers should be changing security information for web accounts or app usage immediately as a precaution and monitor their bank account for fraudulent activity.
“They should also be wary of any correspondence they receive by email or text message,” Skurio’s Hendy added. “We have seen previously that criminals use these types of incidents to slip phishing attempts under the radar.”
“This is done by recycling contact details from historic breaches and hoping worried customers will let their guard down,” said Hendy. “With 9 million travel customers affected there could be a significant overlap with previous similar breaches such as British Airways and Marriott Hotels.”
Another expert warned that hacked organisation’s are too often using the excuse of sophisticated hackers.
“The Airline industry is not a new target and in previous years cybercriminals have targeted multiple airline customers stealing sensitive data such as identity documents, credit cards details, travel itineraries and frequent travel miles,” said Joseph Carson, chief security scientist at Thycotic.
“The notice of the security incident includes the common terms such as a highly sophisticated source, though this all too often turns out to be overstated and until a proper digital forensics investigation is completed, such statements tend to attempt to downplay responsibility,” said Carson.
“The statement includes that robust security measures are in place but as always, it only takes one click on a malicious email, a stolen credential or a misconfigured database that allows criminal attackers access to company’s networks,” said Carson.
“The main concern is it appears that not all customers have been notified yet which means between now and proper notifications, it is highly likely that their data could be abused unknowingly,” warned Carson. “This type of notification will also likely mean a large flood of inbound customer support calls that could overwhelm EasyJet’s already stretched support team.”
“The notice of the security incident could do with improvements but at least it is a good start and easyJet do appear to be following an Incident Response plan,” Carson concluded. “Any sensitive data should be always protected with strong encryption, multifactor authentication and strong privileged access security or reduce the risks from unauthorised access.”
The easyJet hack, whilst being large, did not compromise passport data – a fact noted by another expert.
“While this is a huge breach and any exposure of personal details heightens the risk of phishing, the one sliver of good news here is that passport details don’t appear to have been touched,” said Chris Boyd, lead malware intelligence analyst at Malwarebytes.
“Credit cards can be replaced but once your passport is dumped online, things can become complicated very quickly,” said Boyd. “Everything from selling passport data to being caught up in money mule scams using fake identities can cause chaos for those affected.”
Another expert issued some sound advice for customers seeking to protect themselves from identity theft.
“There are some simple but effective steps you can protect yourself against hackers and take control of your digital identity,” explained Emmanuel Schalit, CEO of password manager Dashlane.
“The average internet user has over 200 digital accounts that require passwords, and we projects this figure to double to 400 in the next five years,” said Schalit. “As a result managing passwords for them all has become incredibly hard.”
“The first step is to use a decentralised password manager to create unique passwords for each website or service you use, so you don’t have to try and remember each and every password,” said Schalit. “Plus, when one account is breached, all your other accounts are still safe. It’s simple and extremely effective.”
Meanwhile another expert noted the cloud migrations is another wrinkle for IT staff to consider and secure properly.
“The compromise at easyJet which allowed an attacker to steal the data of approximately nine million customers is, unfortunately, an all too common occurrence,” noted Tony Cole, CTO of Attivo.
“Every year, enterprise CISOs deal with new organisational initiatives that potentially increase risk as systems and applications change,” said Cole. “Fast migration to the cloud, for example, can sometimes be at the expense of comprehensive risk mitigation allowing new vulnerabilities to be discoverable.”
“Over time financially motivated attackers will target any organisation that may have compromised data that can be monetised,” Cole warned. “It’s important CISOs understand their risk based on their critical assets and equip their environment to detect those threats that slip past perimeter-based preventative tools.”
“There’s no such thing as a perfectly secure infrastructure so it’s crucial to be able to detect threats moving east-west across your enterprise before they have a chance to steal valuable data,” Cole concluded.
Meanwhile Matt Walmsley, EMEA director at Vectra noted that transportation as part of critical national infrastructure is a tempting target for nation state threat actors and cybercriminals alike.
“Whilst EasyJet characterise this attack as coming “from a highly sophisticated source” we’ve yet to see details that corroborate the sophistication or attacker attribution,” said Walmsley. “It may well be the case that, like the British Airways attack, they’ve had a web application compromised which has been used to gain unauthorised access.”
“As 9 million customers’ data has been accessed, it is a significant breach,” said Walmsley. “Even if EasyJet were found to be significantly accountable by the ICO I doubt there would be much appetite for a big GDPR fine when the sector is already on its knees and close to collapse for some airlines.”
Another expert agreed that the easyJet breach is a sizeable breach, but warned that follow up attacks could also be damaging.
“Email addresses and travel details of nine million EasyJet customers, along with the credit card details of more than 2,200, is a significant breach,” said Cath Goulding, CISO Nominet.
“While EasyJet has stated that there is no evidence that information has been misused yet, given the breadth of data that airlines hold, follow-up phishing attacks could be damaging,” Goulding added. “This is not to mention the fact that the data flowing between airline and customer is often to prove identity, and is consequentially especially valuable.”
“The airline industry is undoubtedly facing one of its most testing times,” Goulding concluded. “As we start to look towards a life post-lockdown, however, it will continue to be vital to the world economy. Ensuring that standards don’t slip, that security precautions are taken, and that we follow best practices will be vital to maintaining integrity and trust by customers in this new world.”
One cyber security and criminal justice expert speculated that due to the small number of impacted customers (relative to the overall total number of easyJet passengers), could suggested an isolated server had been compromised.
“9 million user records and just 2 million credit card details seem to be just a tiny percentage of the total number of EasyJet customers,” said Ilia Kolochenko, founder & CEO of web security company ImmuniWeb.
“This may be an indicator that either the attack affected an isolated server or probably a supplier, or that it was quickly detected stopping data exfiltration process of the attackers,” said Kolochenko.
“The scant volume of currently disclosed information about the data breach is, however, insufficient to make definitive conclusions about the origins and potential consequences of the attack,” Kolochenko noted.
“In any case, it will likely be difficult to avoid financial penalties under the GDPR, but depending on the negligence involved in the cause of the incident, the fine may be rather nominal than exemplary punitive,” he added “Affected customers should urgently contact their banks to consider credit card cancellation and re-issue process.”
Another expert warned that businesses should be limiting access to highly sensitive customer data to better safeguard their organisations.
“EasyJet might be the latest organisation to make the headlines but time and time again we see privileged information leaked,” said Mark de Simone, VP and MD, UK and Nordics at Wallix.
“And they are not the only company to find themselves in this situation. This reinforces the need for businesses to bolster their security with a second line of defence,” said de Simone. “By limiting access to highly sensitive customer data, businesses can not only decrease the chance of a breach, but they can have more control and limit the potential damage.”
“Exposing the information of nine million customers is something which cannot be ignored,” de Simone concluded. “Businesses have a responsibility to protect customer data, so it is a fundamental part of any good cyber security strategy to ensure users to do not have blanket access to highly sensitive data.”
And finally another expert noted that the use of some types of cyber attacks have increased during the Coronavirus pandemic.
“Not for the first time an airline company has fallen prey to a data breach,” said Faiz Shuja, co-founder & CEO of SIRP Labs. “The valuable haul of personal information they hold is a magnet for cyber criminals which means, sadly, it probably won’t be the last.”
“As attackers become more sophisticated and attacks continue to evolve, cyber security teams newly adjusted to remote working are experiencing unusually high levels of threat alerts,” said Shuja. “Brute force attacks against firewalls, VPNs and Remote Access Servers, in particular, have skyrocketed during the Covid-19 pandemic.”
“Cyber security teams are crying out for tools that take account of an organisation’s risk profile and automatically place security alerts into context,” said Shuja. “Armed with this intelligence they are much better equipped to take informed decisions and respond more rapidly to serious security incidents.”
Do you know all about security? Try our quiz!
Europe tax setback? EU's General Court rules the European Commission failed to prove Amazon enjoyed…