This week EasyJet has fallen victim to a “highly sophisticated” cyber attack, exposing the email addresses and travel details of millions of customers.
Hackers have accessed the email and travel details of around 9 million customers, and the credit card details of more than 2,000 of them, in a “highly sophisticated” attack.
All the customers affected will be contacted in the next few days and the airline has closed off the unauthorised access and has notified the Information Commissioner’s Office (ICO) and the National Cyber Security Centre. The company said in a statement: “There is no evidence that any personal information of any nature has been misused.”But, it added: “We are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
Johan Lundgren, easyJet chief executive, said: “We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information.
“However, this is an evolving threat as cyber attackers get ever more sophisticated.”
EasyJet’s disclosure comes as its leadership battles a number of challenges including the turbulence caused by the coronavirus pandemic.
Sarah Pearce, Privacy and Cybersecurity Partner at Paul Hastings, the global law firm, commented on the news that EasyJet has suffered a data breach affecting nine million customers:
“In an industry that is already suffering heavily due to entire fleets being grounded by the current crisis, this shows again that security incidents are rife with hackers taking advantage of the challenges and disruption brought about by COVID-19. This, together with the fact that bad actors are becoming ever more sophisticated and can hack into even the most secure systems, results in a recipe for disaster.
Airlines are generally thought of as amongst the most secure when it comes to protection of personal data, and were indeed amongst the first to consider GDPR compliance, but that doesn’t mean they are safe from cybercrime. Now is the time to enhance cybersecurity hygiene and ensure compliance with data protection legislation.”