In their press release, easyJet said that a forensic investigation was launched immediately upon discovering that their system was breached, and discovered that the majority of records involved only contained email addresses and travel details. They also noted that only 2,208 customers had their credit card details accessed.
The airline also said that affected customers will be contacted within the next few days, and that those who had their credit card numbers accessed were already contacted. They have also determined that stored passport numbers were not part of the breach.
Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed. Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed.
Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed. Action has already been taken to contact all of these customers and they have been offered support.
easyJet Chief Executive Officer Johan Lundgren said:
“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the Information Commissioner’s Office (ICO), we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.
“We would like to apologise to those customers who have been affected by this incident.”
The company believes that the accessed data was not distributed or misused in any way, but like other data breaches, affected customers should be aware of potential phishing attempts later down the line. If customer emails are eventually published, scammers could use them for social engineering attacks.
Even if you were not affected by the breach, it’s always a good idea to re-evaluate your data safety strategy. Some tips include:
[Featured Photo: Anna Zvereva/Flickr (CC BY-SA 2.0)]