Today EasyJet admitted that the personal data of nine million people had been exposed in a hack it called “highly sophisticated”.
Of the nine million people affected, the company said that most had only their email addresses and travel details compromised. However, 2,208 had their credit card details stolen too. EasyJet claims that no passport details were leaked. The company also claims there’s no evidence that any of the personal information accessed has been misused.
Those whose credit card details were affected have already been contacted, while the rest will be contacted by 26 May.
It’s advisable to change the password you use for your easyJet account in the wake of the attack. If you use the same password for different accounts, it would be worth updating them too.
EasyJet said the “unauthorised access” has been shut down, and that it had reported the incident to both the ICO and NCSC. EasyJet chief executive Johan Lundgren issued an apology about the attack.
Given it’s one of the largest breaches to affect any UK company, the prospect of a hefty fine looms. But doubts are swirling over whether one will be awarded. “Even if EasyJet were found to be significantly accountable by the ICO, I doubt there would be much appetite for a big GDPR fine when the sector is already on its knees,” said Matt Walmsley, EMEA Director at Vectra.
The hack follows another on British Airways that affected around 500,000 people and resulted in a fine of £183 million in July 2019.
“18 months after British Airways suffered a major data breach, it is not surprising that airline companies continue to be a target for cyber attackers, particularly at a time when the industry is suffering from financial woes and reduced workforce due to furloughing,” said Andrew Tsonchev, Director of Technology at Darktrace.
“Across our global customer base we’ve seen an increase in highly targeted and sophisticated attacks like these in recent months. Often their goal is to compromise customer data and demand a ransom payment at a time when the business is already highly stressed. Alternatively, the data collected can help inform secondary attacks, for example to tailor a spearphishing attack.”