Personal information of 9 million customers accessed in a “highly sophisticated” cyber-attack, which saw the credit card details of 2,200 people exposed
EasyJet has warned customers to be alert should they receive any unsolicited communications, after the airline admitted it was the target of an attack “from a highly sophisticated source.”
The budget airline admitted that email addresses and travel details of 9 million people were accessed. Thankfully this did not include passport data, but 2,208 people did have their credit card details stolen.
The airline made the admission in a statement to the stock market. Customers whose credit card details was compromised have already been contacted, while everyone else affected will be contacted in the “next few days” (latest by 26 May).
EasyJet said it has notified both the Information Commissioner’s Office (ICO) and GCHQ’s the National Cyber Security Centre (NCSC).
“…the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source,” the airline said in its statement. “As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue.”
EasyJet did not give details of how the actually breach occurred, but said “we have closed off this unauthorised access.”
“Our investigation found that the email address and travel details of approximately 9 million customers were accessed it said. “These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed.”
“Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed,” said the airline. “Action has already been taken to contact all of these customers and they have been offered support.”
“We take issues of security extremely seriously and continue to invest to further enhance our security environment,” it added. “There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications,” it said. “We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.”
“We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously,” it concluded.
News of the hack could not have come at a worse time for the airline, which is already contending with the financial fallout caused by the global Coronavirus pandemic and the resulting suspension of almost all air travel.
And the financial implications could be especially severe, as the breach is one of the largest to affect any British company.
For example, it should be remembered that British Airways in July 2019 was fined £183m after hackers stole the personal information of just half a million customers.
On 6 September 2018 BA said it had discovered a hack of its systems that had resulted in customers’ data being harvested by attackers as it was entered.
The hack, which began in June 2018, was in effect during the busy summer holiday period.
The hotels group Marriott was also fined £99.2m in July 2019 for a breach that exposed the data of 339 million customers worldwide.
Do you know all about security? Try our quiz!