EasyJet rocked as data breach hits 9 million customers

EasyJet has fessed up to a major data breach, which has seen the personal data of 9 million customers compromised – and the credit card details of just over 2,200 stolen – in a hack attack which dwarfs the notorious 2018 British Airways incident.

The airline, which has already been hit hard by the Covid-19 pandemic, insists there is no evidence that the data has been “misused” and said the online channels affected by the attack have since been closed.

In a statement, EasyJet said: “There is no evidence that any personal information of any nature has been misused, however… we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.

“We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously. EasyJet is in the process of contacting the relevant customers directly and affected customers will be notified no later than May 26.”

The company said it has already reported the incident to the Information Commissioner’s Office and National Cyber Security Centre.

Those whose credit card details were accessed should already have been contacted.

Chief executive Johan Lundgren said: “Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.”

On the surface, the hack could be potentially disastrous for the airline. The BA hack, which in part involved user traffic to its website being diverted to a fraudulent site, affected 500,000 customers but there was little evidence of any fraud.

Even so, the ICO published a notice of intent to fine the company 1.5% of its global turnover – £183.39m – following an investigation. And although the airline has yet to pay a penny – the ICO announced the third delay last week – 1.5% of EasyJet’s £6.4bn turnover would still come in at a whopping £96m.

MDR Cyber partner Joe Hancock said: “EasyJet claims the attack was the work of ‘sophisticated’ attackers. It was likely motivated by either financial gain or for access to the details of those who have booked flights for other purposes. We suspect given the EasyJet’s consumer customer base that this is principally motivated by criminal financial gain.

“We doubt any regulator will now take drastic action against an industry which is staggering under Covid-19, but nonetheless BA is now facing a group action which will come at a significant administrative cost and where they may be found liable.

“Airlines are in a difficult position. They must allow access to systems in airports and other facilities all over the world along with access to book and rebook flights. This model presents challenges to balance security of data against widespread user access. They must take millions of payments from customers all around the world, against a background of widespread cyber-attacks in an environment where regulators and the public are taking a less forgiving line.

“We suspect the fact that limited credit card details were taken indicates that EasyJet’s security systems were effective. This may indicate that the attackers were also limited by what they could collect as the number of bookings have plummeted in light of the Covid-19 pandemic.”