easyJet Says Details of Nine Million Customers Accessed in Data Breach

easyJet has revealed that the personal data of approximately nine million of its customers has been accessed following a “highly sophisticated” cyber-attack on its system. This includes credit card details of a small subset of these customers (2208), with the airline confirming it has already taken action to contact and offer support to those individuals.

For the rest of the customers affected, email addresses and travel details were accessed. Easyjet said these customers will be contacted in the next few days to and the company will “advise them of protective steps to minimize any risk of potential phishing.”

The company took immediate steps to manage the incident once it was aware of the attack and closed off the unauthorized access. It also stated that it has notified the National Cyber Security Centre and the Information Commissioner's Office (ICO) of the breach. The firm has not given any details on the nature of the breach.

There is currently no evidence that the information accessed has been misused; however, the airline is urging its customers to stay alert to any unsolicited communications and to be “cautious of any communications purporting to come from easyJet or easyJet Holidays.”

Johan Lundgren, easyJet chief executive officer, said: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber-attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

The incident has come a particularly bad time for easyJet, who face the possibility of a large fine under General Data Protection Regulation (GDPR) rules.

Commenting on the breach, Felix Rosbach, product manager at data security specialists comforte AG, said: “The aviation industry is struggling at present given the current pandemic so seeing another major airline succumb to a data breach is not pleasant. On first glance, easyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.”

Last year, British Airways (BA) was hit by a record £183m GDPR (intention to) fine after failing to prevent a digital skimming attack in 2018.

What’s Hot on Infosecurity Magazine?