easyJet, Europe’s second-largest low-cost carrier has admitted that in January this year the company was the subject of a “highly sophisticated cyber-attack” and that email addresses and travel details of approximately nine million passengers had been compromised. In addition, the credit card details, including the all-important CVV security code number of 2,208 accounts had been accessed. The U.K.’s Information Commissioner’s Office has been informed.
easyJet has explained the four-month delay in advising passengers of the data breach because: “This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted,” the airline told the BBC. “We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.
easyJet is now contacting all affected passengers, advising them to be aware of possible phishing emails, and expects to have completed this task by May 26. The airline felt confident that while passenger data had been compromised, the nature of the attack was more a targeting of “intellectual property”. “There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimize any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays.”
Phishing attacks have increased 100-fold since the coronavirus pandemic and Google is currently blocking over 100 million phishing emails on a daily basis. The airline industry appears to have a susceptibility to cyber-attacks, with 2018 seeing British Airways slapped with a £183 million fine after data involving 380,000 transactions was compromised, while compensation payouts to passengers could see that figure rise to £3 billion. Under GDPR (General Data Protection Regulation), if easyJet is found to have mishandled customer data, it could face fines of up to 4% of its annual worldwide turnover. (£1.00 = US$1.22 art time of publication.)