UK budget airline easyJet has announced a massive data breach involving more than 2,000 credit card details affecting nine million of its customers.
Today EasyJet said it was the target of a “highly sophisticated” attacker who gained access to the email addresses and travel details of nine million customers.
The company said that hackers had accessed 2,208 credit card details, noting that it had “closed this unauthorized access.”
The carrier would contact affected easyJet customers by May 26 no later than that, easyJet said in a statement. The organization did not disclose when the breach occurred or how it happened, but it informed the Office and National Cyber Security Center (NCSC) of the UK Information Commissioner and appointed a digital forensics specialist to investigate the breach.
In terms of affected customers, the data breach by easyJet dwarfed a 2018 data breach at British Airways, which was fined last year by the Information Commissioner’s Office under Europe’s General Data Protection Regulation ( GDPR) with a record £ 183.4 m ($225 m).
The ICO blamed the British Airways data breach, which affected 500,000 customers, for protecting login, payment card, travel details, and name and address information on its website, on its “poor security arrangements”
The ICO has urged easyJet to report the breach due to an increased risk that phishing attacks will target customers affected. The airline warned customers to be on the alert for unsolicited communications, although it said it had no evidence of misuse of any personal information.
“We take the safety of our networks very seriously and have robust security measures in place to protect the personal information of our customers. Nevertheless, this is a growing challenge as cyber attackers become ever more advanced,” said Johan Lundgren, easyJet CEO.
“As we became aware of the incident, it became clear that, as a result of COVID-19, there is a growing concern about the use of personal data for online scams. Consequently, and on the recommendation of the ICO, we contact those customers whose travel information has been accessed and we advise them to be extra vigilant, particularly if they receive unsolicited communications.
“Any company has to remain agile to stay ahead of the hazard. We will keep investing in the protection of our customers, our systems and our data. We wish to apologize to those customers affected by this incident.