The attack, described by the airline as originating from a highly sophisticated source, has already been notified to the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
EasyJet said it took immediate steps to halt the attack and seal off the breach as soon as it became aware it had been compromised. It has also engaged a security forensics team to investigate the incident.
“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” said EasyJet CEO Johan Lundgren.
“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems and our data. We would like to apologise to those customers who have been affected by this incident,” added Lundgren.
EasyJet said it had already taken action to contact those customers whose credit card details had been accessed and offer them appropriate support, and it would be contacting the other victims in the coming days.
Boris Cipot, Synopsys
It said that no passport details had been exposed, and nor was there any evidence that any of the personal information taken had been misused by cyber criminals. Nevertheless, it said, EasyJet customers should be alert to unsolicited communications, particularly if they purport to come from itself.
An ICO spokesperson said: “We have a live investigation into the cyber attack involving EasyJet.
“People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.
“Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks, and scam messages. We have published advice on our website about how to spot potential phishing emails.”
Boris Cipot, senior security engineer at Synopsys, said: “While EasyJet has reported that there’s no evidence that the accessed data has been misused, no one can be certain that the data won’t be misused in the future. EasyJet has notified all affected customers about the breach and I would urge these customers to call their bank and credit card companies to find out what the next steps are to ensure their accounts are secure. This may require the cancellation and replacement of affected cards. Affected account passwords should also be changed immediately.
“Changing passwords every now and then serves as a good precautionary habit to have. It is also important to understand that using the same password across several accounts is not a safe practice. Make sure to use a different password for each site and account you have.
“As there are many services that use your name, address and a credit card number as proof of identification, be on the lookout for attempts at identity theft. Talk to your bank or credit card company to see if they can give you a list of all the occasions when attempts were made to use your credit card,” he added.
SonicWall’s vice-president of sales in Europe, the Middle East and Africa (EMEA), Terry Greer-King, added: “Organisations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost, and airlines should be particularly vigilant as they hold a treasure trove of customer data.
“Attacks such as the one on EasyJet should remind CTOs, CIOs and CISOs to implement security best practices like a layered approach to protection, and update any out-of-date security devices, applications or systems as a matter of course. Businesses should be working very closely with their security providers to gain a clear and real-time picture of security risks and the impact they could potentially pose to their organisation.
“The damage of this breach is yet to be seen, but it is certain that stakeholder confidence will be shaken as a result. Under GDPR [General Data Protection Regulation], EasyJet may also expect a hefty fine along the lines of the British Airways and Marriot fines,” he added.
Terry Greer-King, SonicWall
Airlines are tempting targets for cyber criminals because of the amount of important data – particularly highly valuable details such as passport information – they are obliged to collect on their customers.
Recent high-profile cyber security incidents to have affected the aviation sector include the September 2018 breach of British Airways (BA), which was subsequently found to be much worse than the airline at first admitted, and the October 2018 breach of Cathay Pacific, which saw the passport numbers of 860,000 people and the Hong Kong ID card numbers of 245,000 stolen.
Both of these incidents attracted significant fines from the ICO. BA’s – currently deferred – fine of £180m is the largest issued to date under the European Union’s GDPR, while Cathay Pacific’s fine of £500,000 was the maximum possible pre-GDPR fine and would doubtless have been much higher had its breach happened after the regulation came into effect.
Read more about cyber attacks
- Attack on Elexon was resolved within hours with no impact on the UK’s national electricity supply, but it could have been much worse.
- VMware’s Carbon Black observes a spike in cyber attacks on financial services organisations during coronavirus pandemic.
- Latest government statistics reveal the scale of the cyber security challenge facing UK plc, but reveals some cause for optimism.