EasyJet target of major cyber attack
Image copyright Shutterstock
Following discussions with the Information Commissioner's Office (ICO), the Board of easyJet announced that it had been the target of a cyber attack from a highly sophisticated source.
Once aware of the attack, easyJet took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. It also notified the National Cyber Security Centre (NCSC) and the ICO, whilst closing off the unauthorised access.
The easyJet investigation found that the email address and travel details of approximately nine million customers were accessed. These affected customers will be contacted in the next few days.
Forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed. Action has already been taken to contact all of these customers and they have been offered support.
Johan Lundgren, CEO, easyJet, said: "We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers' personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.
"Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
"Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.
"We would like to apologise to those customers who have been affected by this incident."
Although there is no evidence that any personal information of any nature has been misused, on the recommendation of the ICO, easyJet are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.
Boris Cipot, senior security engineer at Synopsys, said "While EasyJet has reported that there’s no evidence that the accessed data has been misused, no one can be certain that the data won’t be misused in the future. EasyJet has notified all affected customers about the breach and I would urge these customers to call their bank and credit card companies to find out what the next steps are to ensure their accounts are secure. This may require the cancellation and replacement of affected cards. Affected account passwords should also be changed immediately.
"Changing passwords every now and then serves as a good precautionary habit to have. It is also important to understand that using the same password across several accounts is not a safe practice. Make sure to use a different password for each site and/or account you have.
"As there are many services that use your name, address and a credit card number as proof of identification, be on the lookout for attempts at identity theft. Talk to your bank/credit card company to see if they can give you a list of all the occasions when attempts were made to use your credit card."
Brian Higgins, security specialist, Comparitech.com said: "Attacks like this have enormous, knock-on effects for the victims. Once the attack is made public, criminal organisations will immediately seek to take full advantage of the fear and uncertainty the 9 million customers of EasyJet are currently feeling and begin campaigns to exploit them. They will email, call on the telephone and make contact via social media channels. In fact they will use any and all methods to make contact, pretend to be EasyJet and use that fear and uncertainty to make people reveal more of their personal information, login credentials and bank details in order to commit more crime.
Any and all unsolicited contact from EasyJet should be ignored, however difficult that may be. You should also check their official website or contact the Office of the Information Commissioner for advice. Never engage with any other offers of help. They will almost certainly cause you more harm.
A company the size of EasyJet should have a comprehensive incident response plan to deal with this attack. The coming days will show us if that is the case, although how they can assure their customers that ‘there is no evidence that any personal information of any nature has been misused’ shows a worrying naivety.
This is the golden hour for cybercriminals. EasyJet customers have one line of defence right now. Ignore them."
EasyJet is in the process of contacting the relevant customers directly and affected customers will be notified no later than 26th of May.
Customers can also find further advice at www.actionfraud.police.co.uk
