9 Million Customer Records Accessed In easyJet Data Breach

• easyJet has announced that about 9 million customer travel records were breached in a “highly sophisticated” hack.
• Only 2,208 customer had their credit card details accessed, but the company assures affected customers that other information such as passport numbers were not part of the breach.
• All affected customers will be contacted in the next few days.
• Subscribe to our daily newsletter for travel and aviation news and reviews.

In their press release, easyJet said that a forensic investigation was launched immediately upon discovering that their system was breached, and discovered that the majority of records involved only contained email addresses and travel details. They also noted that only 2,208 customers had their credit card details accessed.

The airline also said that affected customers will be contacted within the next few days, and that those who had their credit card numbers accessed were already contacted. They have also determined that stored passport numbers were not part of the breach.

Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed. Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed.

Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed. Action has already been taken to contact all of these customers and they have been offered support.

easyJet Chief Executive Officer Johan Lundgren said:

“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.

Get the latest travel and aviation news and reviews - delivered straight to your inbox

Subscribe

Subscribing...

Thank you for subscribing!

You're almost there! A confirmation email has been sent to verify your subscription.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.  As a result, and on the recommendation of the Information Commissioner’s Office (ICO), we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.

“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.

“We would like to apologise to those customers who have been affected by this incident.”

The company believes that the accessed data was not distributed or misused in any way, but like other data breaches, affected customers should be aware of potential phishing attempts later down the line. If customer emails are eventually published, scammers could use them for social engineering attacks.

Even if you were not affected by the breach, it’s always a good idea to re-evaluate your data safety strategy. Some tips include:

• Using unique passwords for different websites – While using a strong password may not be a safety net in itself (as they could easily be accessed if not stored in an encrypted format), at least it prevents hackers from trying to same password on other sites such as your social media accounts or banks.
• Enable two-factor authentication – Add an extra layer of security, whether it be through an authenticator app, text message or via a secondary email address.
• Keep an eye out for phishing emails – Scammers tend to create emails posing as companies asking for password resets or asking for authorization to process banking transactions. These emails usually almost always look like the real deal, and it’s a good idea to check the sender’s email address. Another tip includes hovering over the links to see what the URL is. If it doesn’t appear legitimate, delete it immediately.

[Featured Photo: Anna Zvereva/Flickr (CC BY-SA 2.0)]