EasyJet has revealed that the personal information of 9 million customers was accessed in what the low-cost airline is describing as a “highly sophisticated” cyber-attack.
The company announced that email addresses and travel details were accessed and it would contact the customers affected.
Of the 9 million people affected, 2,208 had credit card details stolen, easyJet told the stock market. No passport details were uncovered.
Those customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26 May.
EasyJet did not immediately give details of how the breach occurred, but said it had “closed off this unauthorised access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator.
The breach is one of the largest to affect any company in the UK, and raises the possibility of easyJet paying a large fine.
British Airways was fined £183 million in July 2019 after hackers stole the personal information of half a million customers. In the same month, the hotels group Marriott was fined £99.2 million for a breach that exposed the data of 339 million customers worldwide.
The easyJet chief executive, Johan Lundgren, said: “We would like to apologise to those customers who have been affected by this incident. Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.
“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
EasyJet claims the attack was the work of ‘sophisticated’ attackers. It was likely motivated by either financial gain or for access to the details of those who have booked flights for other purposes. We suspect given the EasyJet’s consumer customer base that this is principally motivated by criminal financial gain,” says Joe Hancock , Partner and Head of MDR Cyber.
“We suspect the fact that limited credit card details were taken indicates that EasyJet’s security systems were effective. This may indicate that the attackers were also limited by what they could collect as the number of booking have plummeted in light of the COVID-19 pandemic.”