EasyJet data breach sees nine million customer details stolen

Image credit: DT

EasyJet has suffered a “highly sophisticated” cyber-attack that has exposed the travel details and email addresses of nine million customers and could have been perpetrated by Chinese hackers.

The attack happened in January and 2,208 customers also had their credit card details stolen in a "highly sophisticated" attack, the no-frills airline has said.

Two Reuters sources said the hacking tools and techniques used in the attack suggest it came from a group of Chinese hackers that has targeted multiple airlines in recent months.

The news of the data breach could see easyJet facing significant fines from regulators in another financial blow to the firm, which is already suffering from a downturn in passengers due to the Covid-19 pandemic.

The airline insisted there is “no evidence that any personal information of any nature has been misused” although declined to comment on who was responsible. It added that it has been “the target of an attack from a highly sophisticated source”.

The attackers were able to access bookings made between the middle of October 2019 and early March 2020.

Chief executive Johan Lundgren insisted that the carrier has “robust security measures in place” but acknowledged that “this is an evolving threat as cyber attackers get ever more sophisticated”.

He apologised to customers and advised them to be “extra vigilant, particularly if they receive unsolicited communications”.

He added: “Every business must continue to stay agile to stay ahead of the threat.”

A spokesman from The National Cyber Security Centre said: “We are aware of this incident and have been working with easyJet from the outset to understand how it has affected people in the UK.”

Javvad Malik, security awareness advocate at KnowBe4, said: “There is never a convenient time for individuals' details to be accessed by criminals. However, any exposure amidst the Covid-19 outbreak can be even more damaging as criminals can use people’s personal information to launch phishing attacks against them. It is why the ICO has recommended easyJet contact all affected individuals.

“Individuals should be extra vigilant in these circumstances, especially if they receive unexpected emails either from easyJet or from official bodies.”

Felix Rosbach, product manager at data-security specialists comforte AG, said: “The aviation industry is struggling at present given the current pandemic so seeing another major airline succumb to a data breach is not pleasant.

“On first glance, easyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.

“Organisations that process PII data need to take a serious approach to data-centric security. There are proven methods available which can reduce the impact of such data breaches. Tokenisation is a great example. With such an approach, all sensitive data elements get replaced by tokens.

“That means that in the case of a data breach, the data is worthless for attackers. Furthermore, as it is the data elements themselves that are protected, security travels with the data. No matter if it is processed and stored within the company network, or whether it moves outside the perimeter."

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles