The personal details of nine million customers of budget airline EasyJet have been accessed by hackers in what the budget airline is describing as a “highly sophisticated attack.”
(By the way, has any organisation ever admitted that it has been breached as the result of a ridiculously dumb attack that they really should have been able to stop dead in its tracks?)
The email addresses and travel details of nine million passengers are thought to have been accessed by the hackers, as well as the credit card details of 2,208 customers.
According to the airline, “There is no evidence that any personal information of any nature has been misused” but one would have to question how on earth EasyJet would know with any confidence that it hadn’t been abused.
EasyJet CEO Johan Lundgren said in a press release:
“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.
“We would like to apologise to those customers who have been affected by this incident.”
EasyJet doesn’t mention it in its press release, but it subsequently emerged that the airline discovered its IT systems had been breached in January, and yet did not begin to inform some affected customers until April, and only made news of the hack public now in May.
Can I have some advice to my rights on this, I’ve had zero support from EasyJet apart from demanding my balance next week from an account that has now been hacked, I have requested cancel through a contact form over 60 days, no response. What do I do? pic.twitter.com/j6IFz0Uvan
— Samantha Burt (@SamBurt04) April 2, 2020
EasyJet says it has informed the Information Commissioner’s Office (ICO), will have informed all remaining affected customers by May 26th, and has closed the vulnerability which they believe the hackers used to gain access to their systems.
The airline has attempted to explain this delay by describing the attack as “highly sophisticated”, and claiming that it has taken time to identify affected customers:
This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.
In April, we notified a small group of customers whose credit card details had been impacted and offered them support including a dedicated helpline and monitoring.
Over this time, we have been working closely with the ICO and, following those discussions, we are now notifying other customers impacted by this incident. This is particularly in light of the increased risk of phishing emails since the outbreak of Covid-19.
More details will no doubt emerge in due course, but for now my recommendation for EasyJet customers would be to stay alert to unsolicited communications claiming to come from the company and to keep a close eye on their finances for unusual transactions.
News of the hack comes at the worst possible time for the airline, which is already facing considerable problems due to the Coronavirus pandemic.
Further reading: EasyJet’s breach notification email to customers – a closer look
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.