EasyJet announced on Tuesday that it had been the victim of a “highly sophisticated” cyber attack with the personal details of around nine million customers stolen by hackers. The low-cost airline said it had already informed the National Cyber Security Centre and Information Commissioner’s Office but did not reveal when it actually became aware of the attack or how long the hackers had had access to the data of its customers.
“As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue,” the airline said in a statement. “Our investigation found that the email address and travel details of approximately 9 million customers were accessed,” the statement continued. The airline said affected customers would be informed in the coming days.
The airline admitted that hackers also managed to access the credit card details of 2,208 customers. easyJet said that it has already taken steps to contact this “very small subset” of customers and those affected were being offered advice and support.
easyJet insisted that it “take issues of security extremely seriously and continue to invest to further enhance our security environment.” The statement continued: “There is no evidence that any personal information of any nature has been misused.”
The airline’s chief executive Johan Lundgren, attempted to reassure customers by saying that the airline already had “robust security measures” but “sophisticated” hackers presented an “evolving threat”.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams,” Lundgren commented. “We would like to apologise to those customers who have been affected by this incident.”
In September 2018, British Airways admitted to a cyber attack that resulted in the personal details of around 380,000 customers being stolen. For that hacking attack, British Airways was fined £183 million by the Information Commissioners Office (ICO) in what was a record fine.
The parent company of British Airways said it would “vigorously defend” itself, claiming that it had not been proven that the airline failed to comply with its obligations under so-called ‘General Data Protection Act’ (GDPR) regulations.