EasyJet data breached: over 9 million customers affected

EasyJet revealed today that the data breach was “highly sophisticated”, and that email addresses and travel details were accessed, including passport data.

The budget airline stressed that evidence has not yet come to light regarding misuse of data, however they would contact all affected customers.

“We are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” EasyJet stated, following recommendations to do so from the Information Commissioner’s Office (ICO).

“We would like to apologise to those customers who have been affected by this incident,” said Johan Lundgren, chief executive of EasyJet.

“Since we became aware of the incident, it has become clear that owing to Covid-19, there is heightened concern about personal data being used for online scams.

“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

Data protection in the time of Covid-19: an unprecedented challenge

Michelle Rule, associate at Thomson Snell & Passmore LLP, explores the impact on data protection in the time of Covid-19. Read here

Jake Moore, cyber security specialist at ESET, commented: “The biggest problem for EasyJet now is to get this information out to all their customers and make them safe.

“When the security notification first pops up, the procrastinators will forget about it, and think it won’t happen to them. However, when something like this occurs, the truth is that money can be stolen, and large amounts too.

“For those people who have fallen victim to this attack, it would be a good idea to use the card monitoring service offered, or better still cancel the card that was used.

“Once card information like this is stolen, it’s a race against time for the criminals to start using it before the owner is notified and cancels it. Much of this information is sold on the dark web, with higher prices closest to when the breach occurred.”

Matt Middleton-Leal, general manager EMEA & APAC at Netwrix, meanwhile, believes that the breach will prove a puncture in customer trust in EasyJet’s data protection.

“While it is impossible to have 100% security, it seems clear EasyJet did not have appropriate control over their data, and may well lose customer confidence as a result,” he said.

“As the travel industry weathers the COVID-19 storm, it is imperative that airlines maintain the trust of loyal customers and new potential travellers, especially as communication with customers still remains solely virtual.

“Despite airlines currently well below flying capacity, and the majority of aircraft grounded, security for the travel industry must still be paramount, especially with the ‘cyber-pandemic’ rising alongside the COVID-19 disease as COVID-related phishing attacks have been on the rise, with people falling victim more often during this period.”

ICO sets out regulatory approach during the coronavirus pandemic

The Information Commissioner’s Office (ICO) has announced its regulatory approach to data protection during the coronavirus crisis. Read here

Regulatory steps

The aviation industry has been hit hard by the current pandemic, with flights worldwide being put on hold and customers staying at home, and so any potential penalties issued by the ICO may be withheld under the circumstances.

“As nine million customers’ data has been accessed, it is a significant breach,” said Matt Walmsley, director EMEA at Vectra. “Even if EasyJet were found to be significantly accountable by the ICO, I doubt there would be much appetite for a big GDPR fine when the sector is already on its knees and close to collapse for some airlines.”


Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.

Related Topics

Customer Data
Data Breach