Budget airline EasyJet has confirmed that the company was hit by a “highly sophisticated cyber-attack” that has compromised the data of around nine million customers.
The company has said that travel details, email addresses for nine million customers had been compromised, as well as 2,208 customers that had their credit card details ‘accessed’ by hackers. Reports are stating that included in the stolen credit card details were the three-digit CVV number on the back of the card.
EasyJet has fulfilled its legal obligations to notify the UK’s Information Commissioner’s Office, who will now take the time out to investigate the data breach; the company has said it was first aware of the cyber breach in January, 2020.
EasyJet has told The BBC that “this was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”
“We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”
EasyJet’s CEO, Johan Lundgren has issued a statement saying that “since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.”
“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
“We would like to apologise to those customers who have been affected by this incident,” Lundgren concluded.
The company has said that it will notify all customers impacted by the data breach by the 26th of May, and has begun the process of taking this news public to ensure that those caught up in the breach won’t fall for phishing scams in the near and distant future.
While EasyJet did not provide further details of the hack, it did say that the hackers were looking to target “company intellectual property,” rather than personal information on its customers.
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were assessed to advise them of protective steps to minimise any risk of potential phishing.”
“We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet holidays,” the company warned.
The Information Commissioner’s Office has released a statement saying that “people have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”
In September of 2018, British Airways announced that the personal information of around half a million of its passengers had been compromised by hackers, and the ICO handed down a £183 million fine for the breach and lack of adequate protections for its passenger’s personal information; the BBC writes that “compensation pay-outs to customers could see that reach £3 billion.
The General Data Protection Regulation (GDPR) guidelines stipulate that a company is liable for fines of up to 4% of its annual worldwide turnover for negligence leading to a data breach. According to EasyJet's 2019 figures, the company increased its total revenue by 8.3% to £6.3 billion.
Aman Johal, a lawyer quoted by the BBC in its report added that “it’s impossible to determine yet whether or not there has been negligence but, if so, consumers could be eligible to claim compensation, raising the financial penalty imposed on the airline significantly.”
Mike Fenton, chief executive of threat detection at cybersecurity firm Redscan has said that “these are already turbulent times for all companies within the aviation industry but the situation has just got significantly worse for EasyJet.”
“To add to the company’s woes, it now has to explain how the personal records of nine million customers were able to be accessed… when it comes to cyber security, the airline industry doesn’t have a great record,” he added.”
“The British Airways breach in 2018 should have been a wake-up call and passenger confidence is likely to be at an all-time low after this,” Fenton added.