Earlier today, on the 19th of May 2020 we found out that 9 million customers have had some of their personal information stolen from EasyJet. The extent of this hack at the moment seems to be that 2200 people have had their credit card details stolen and have been notified, although we expect further developments in due course.
The company has not given any information about how the attack might have happened, only saying that this attack was ‘highly sophisticated’. They also offered no time frame in which the breach may have started or when the unauthorised access was detected and stopped.
It is speculated that this information could be used in future attacks on their customers as is not uncommon in situations such as this. The hacker could sell these details on allowing other hackers to exploit the victims. The CEO of EasyJet, Johan Lundgren, has urged customers to be ‘extra vigilant’.
The CEO has also said “We will continue to invest in protecting our customers, our systems, and our data”, and has offered an apology to any customers saying “We would like to apologize to those customers who have been affected by this incident.”
From the view of a cyber security professional, this is eerily similar to the British Airways breach. Airline companies are seemingly becoming a higher value target for nefarious cybercriminals. EasyJet has said they are working with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) to find the origin of this attack.
At Sencode, we will be following the developments of this story closely and offering any updates in further posts. We would expect to see more information being disclosed about the nature of this attack in the future, and a possible fine to be issued to EasyJet because of a breach of GDPR. This could be catastrophic for the company due to the ongoing pandemic which has seen the use of air travel plummet.
Author: Matthew Protheroe-Hill on 19th May 2020