The largest airline in the United Kingdom, easyJet, revealed that they had been hacked by a “sophisticated attack” in January of 2020. All in all, approximately 9 million customers were affected by the EasyJet hack. The affected customers had their travel records and emails exposed. The EasyJet disclosure also revealed that 2,208 of the 9 million affected customers had their credit card information accessed but nobody had their passport records accessed. According to their notice to investors on the London Stock Exchange, they will be notifying affected customers over the next week.
In the notice, CEO of easyJet Johan Lundgren stated:
“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.
Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.
We would like to apologise to those customers who have been affected by this incident.”
easyJet breach affects 9 million customers
None of the news articles or easyJet’s disclosure have specified the vector of attack which leaked the 9 million records. All the public knows is that easyJet didn’t notify the public until months later, and has acknowledged that the stolen information will probably be used in COVID-19 related scams. While the GDPR does require notification of such breaches, in the UK the notification only needs to be given to the regulatory authority and it’s unclear why there were four months between the easyJet breach and easyJet’s disclosure of the breach.
For affected customers going to the easyJet website to change their password, they are greeted with this frankly out of date password policy:
“Your password must be a single word between 6 and 20 characters in length and must not include the special characters # & + or space.”
easyJet is likely to receive a fine from the Information Commissioner’s Office (ICO). In 2018, British Airways was fined about 225 million USD as a result of a breach where hackers absconded with credit card information from hundreds of thousands of customers.