EasyJet’s breach notification email to customers – a closer look

Graham Cluley
@gcluley

Let’s take a closer look at the email EasyJet is sending to customers affected by its recently-revealed security breach.

From: easyJet <bookings@info.easyjet.com>
Subject: Cyber Security Incident

Notice of cyber security incident – be alert to phishing emails

Dear Customer,

A personal communication, but they don’t use my name? That’s a funny way of doing things.

Many times we’ve told users that an email which doesn’t refer to them by name might be considered more suspicious.

After all, it’s less effort for bad guys to spam out a phishing attack to thousands of people with the greeting “Dear Customer” than “Dear Fred”, “Dear Richard”, “Dear Ethel”…

I wanted to write to you personally in regards to a recent cyber security incident at easyJet.

EasyJet’s announcement about the breach was definitely recent, but can the security incident itself actually be considered “recent”? I might beg to differ. Maybe we could all do with a reminder of what the word “recent” means before we carry on…

All up to speed? Right, let’s continue…

As you may have heard, we announced on 19th May 2020 that we were the target of an attack from a highly sophisticated source.

“An attack from a highly sophisticated source.” That won’t be HP Sauce then! Sorry, that’s a #dadjoke.

Pardon me if I sound skeptical when yet another company calls an attack “highly sophisticated.” Remember when TalkTalk made the same claim and it turned out to a bog standard SQL Injection attack pulled off by a teenager?

I hope one day we’ll hear more details about what happened, because so far EasyJet doesn’t seem to be sharing much information.

And yes EasyJet, you announced the breach on 19 May, but when did you actually become aware that your systems had been hacked?

As soon as we became aware of the attack, we took immediate steps to manage and respond to the incident, closing off the unauthorised access. We engaged leading forensic experts to investigate the issue and we also notified the National Cyber Security Centre and the Information Commissioner’s Office (ICO).

Well done. But when was this exactly? Because although you took the above action (which is good) you didn’t tell affected users at this point, did you? How much time was there between becoming aware of the attack and going public on 19 May?

Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020.

The odd thing is that some EasyJet customers have received this notification despite not taking any flights or booking any holidays with EasyJet between those dates. So I’m guessing this is another impersonal part of the “personal communication,” designed to cover the date range that EasyJet feels it systems were compromised.

So, is that the case? Had the hackers compromised EasyJet’s systems as far back as 17 October 2019 (as sounds possible), and did it take until 4 March 2020 for the hackers to be booted out?

Your passport and credit card details were not accessed, however information including where you were travelling from and to, your departure date, booking reference number, the booking date and the value of the booking were accessed.

It’s good news if passport and credit card details were not accessed. EasyJet clearly wants us to know that, and that’s why they’ve written that bit in bold. But is it the case that no EasyJet customers had that infomation breached, or just the ones who received this email?

Sign up to our newsletter
Security news, advice, and tips.

Some EasyJet customers say that they received an email from the airline in late March, saying that their credit card details (including CVV security code) *had* been accessed by hackers.

It sounds to me that EasyJet may have informed in late March customers who had had their credit card details swiped by hackers, but didn’t tell other affected customers (or the media) about the wider breach until almost two months later.

The odd thing about this is, of course, that EasyJet shouldn’t be storing credit card CVV details. Which makes me suspect that perhaps the attack was a Magecart-style skimming attack which grabbed the payment details (and other personal information) from EasyJet customers as they booked flights on the airline’s website.

You may recall that a similar attack to that happened to British Airways amongst others.

We are very sorry this has happened.

I’ll bet. Airlines are going through an extremely stressful time at the moment, due to the Coronavirus pandemic shutting down their operations. But then, plenty of EasyJet customers are going through a difficult time too – and now have the fact that their personal details have been stolen by hackers to contend with as well.

Please be extra careful about phishing attacks

There is no evidence that personal information of any nature has been misused but please do be extra careful if you receive any unsolicited communications, particularly if they claim to be from either easyJet or easyJet holidays. Please note that we will never contact you unprompted to ask for your account details or security information, and we will never ask you to disclose your passwords, or to change your passwords on your easyJet account.

Telling people about the risks of phishing attacks is sensible, so it’s good to see EasyJet share this warning. It’s not at all unusual to see members of the public fooled by phishing attacks or scam phone calls after a data breach.

You do not need to take any action apart from continuing to be alert as you would normally be, especially with any unsolicited communications. To help you stay safe online, please remember:

– Do not open emails or attachments if you have any questions on the source
– Make sure you know who you are dealing with before disclosing any personal information online
– Always check links before clicking on them – you can do this by hovering over the link to see whether the source is recognisable. Do not click any link if you are unsure

The ICO has very helpful information on its website, including an article related to phishing posted on 31st March 2020 entitled ‘Stay One Step Ahead of the Scammers’. The National Cyber Security Centre likewise has useful guidance, including an article entitled ‘Phishing attacks: dealing with suspicious emails and messages’.

More information on the cyber incident with easyJet can be found on our website. Additionally, if you have any further questions, please email us at infoalert@easyjet.com

Hang on.. haven’t you forgotten something…

Once again, we’re sorry that this attack has happened.

Thank you for apologising, but I was expecting something else…

We do take the safety and security of our customers’ information very seriously and will continue to take every action to protect it against any future attacks.

There it is! (my emphasis)

Yours sincerely,

Johan Lundgren
CEO, easyJet

Further reading: How EasyJet customers could make money out of the airline being hacked

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

19 comments on “EasyJet’s breach notification email to customers – a closer look”

  1. Yep ….. they take your safety & security extremely seriously! Just like issuing refunds to their customers for flights that they cancelled.

    Total managerial incompetence.

  2. Good article I’m with you and also mystified as to why they did not suggest we change passwords (you know just in case) as a standard procedure when data breaches happen.

  3. From one bunch of scammers to another. Hackers stealing details or easyjet stealing refunds. Both situations are illegal but why aren't the police arresting easyjet bosses? ……. Catherine Bradley cbe dons her fsa directors cap and seeks to protect us from financial fraudsters then dons her easyjet directors cap and becomes part of the company who illegally holds refunds. Just about says it all really.

  4. Good article, there are the hackers and the so called legitimate businesses that offer people a good deal,taking seconds to withdraw your money but somehow an eternity to refund when things go pear shaped!

  5. I got my email from easyJet on the 21st MAy to inform me that my account had been comprimised, this arrived the day after I had received a phishing email.
    Presently awaiting a refund this email had an attachment for pAyement confirmation. All very genuine looking. I am in my late70 I could have very easily been taken in by this and furnished them with the information they requested. Really very disappointed in easyjet in all aspects of their handling of everythi

  6. In my view the timing is suspicious, and has the tainted wiff of a diversionary tactic.
    Having received crisism for delaying refunds against cancelled flights and attempting to retain the monies paid, through offering vouchers; synical it may be but I think they are tempting to gain sympathy.
    Pathetic, and typical. Dear customer! Seriously, who are they trying to kid?

  7. They didn't mention anything about phone details which are also stored with flight detail being hacked either.
    Sadly under this recently appointed CEO the once good Company is simply nose diving and not sure whether he can get it (the nose that is) up again!

  8. Since getting the email from easyJet have been inundated with phone calls from every part of the world. Every time I block one another calls. EasyJet never mentioned phone number being hacked

  9. you trust these people
    Had not had my refund to for my flights now been hacked what a joke this company are do you not know if we'll be compensated for our trouble will not be flying with easyJet again .

  10. Good article, thanks Graham Cluley !

    Just wondering what would happen now that our personal details are out there in the hands of scammers ? Should we take any action against easyJet for allowing this to happen and for late alerts ?

  11. Ah but you are all forgetting that easy jet have billions of pounds worth of planes on order with Airbus despite the fact that air travel will not be the same after covid 19. I wonder what incentive there is for these orders not to be cancelled.
    Stellios is right the board are a bunch of "scoundrels" to use his description.

  12. I have had my compensation claim declined and EasyJet quoted EU Regulation EU261/2004. Has anyone else had this regulation quoted to them? They also said that this was their final decision and that there was no point in me contacting Customer Services. No vouchers or future flight arrangements were mentioned or offered. I flew with EasyJet a number of times last year. Obviously loyalty counts for nothing. I am now an ex customer. They won’t be getting my business again. To add insult to injury, the following day they emailed me to say I was a victim of the hacking they experienced and another email informed me that bookings could now be made for future flights. ???????????????????????????????????? Morons!

  13. Some of my information held by EasyJet has been compromised. Fortunately credit card and passport details were not obtained. but my mobile was rung at 2.30 am Friday morning 22nd May by +256 477 740 863 -I think an Ugandan number. Phone was switched off so no contact made and a missed call notification alerted me to this unfamiliar number.
    Please be vigilant.

  14. Easy jet are certainly going the right way In keeping their customers after this breach of security.
    Also when are they going to do the decent thing and refund customers for cancelled flights and holiday's it's dragging on far too long.

  15. Yes agree refunds are not getting paid out by the looks of it…. impossible to get through to them on the phone for a refund

  16. I have tried to cancel my easyJet account and they do not make that easy. They are asking me to upload a photo of myself. Why would they need this? I didn’t send a photo to open my account. I have emailed easyJet asking them to delete my account but I have heard nothing back

  17. I received an email stating that my flights would be refunded shortly after the data breach was confirmed.

    I assume this is a fake phishing email, but no one can confirm one way or the other as no one has got back to me!

    Annoyingly, I have since emptied my spam folder, so do not know whether it was genuine or not (and if not) use it as proof that their incompetence is having an effect on me.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.