A “highly sophisticated” cyber attack that has exposed the email addresses and travel details of nine million easyjet customers is reportedly the work of Chinese hackers.
The airline, which has grounded most of its flights due to the pandemic, said it did not believe any personal information had been misused, but admitted that credit card details of more than 2,000 passengers had been stolen.
Sources close to the investigation claimed the attack had the hallmarks of an ongoing Chinese campaign against travel companies, Reuters reported.
“On the recommendation of the Information Commissioners’ Office (ICO), we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” an easyJet spokesman said.
How did it happen?
The airline insisted that the attack did not come from “someone operating from their bedroom” and said that it was not carried out by "common criminals".
A spokesman for EasyJet said the airline notified the ICO, which it is obliged to do within 72 hours of discovering a breach, in January.
Since then EasyJet has been working with both the ICO and the National Cyber Security Centre on an ongoing investigation.
The spokesman said the airline did not believe the attack was motivated by identity fraud and that the unauthorised access had been “closed off”.
The tools and techniques used point to a group of Chinese hackers thought to behind multiple attacks on airlines in recent months.
EasyJet said it was “not speculating” on who the attackers were.
Asked why it took months to reveal the breach, the company said the attacker was “highly sophisticated” and that it took time to understand the scope of the attack.
“We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed,” a spokesman said.
EasyJet said there was “no link” between the breach and the current surge in refund requests.
What should you do if you are at risk?
Customers whose details were accessed will be contacted by May 26. Those who have had their credit card details stolen were informed in April.
“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams,” said Johan Lundgren, easyJet chief executive.
The company has advised all customers to be cautious of any communications “purporting to come from EasyJet or easyJet Holidays”.
Adam French, of consumer group Which?, said: "For anyone concerned they could be affected, it's important to change your password with easyJet and other websites where you might use the same one - and keep a careful eye on bank accounts and credit reports.
"Also, be wary of emails or fake 'customer support' popping up on social media regarding the breach, as scammers may try to take advantage of it."
Jake Moore, a cybersecurity specialist at ESET, said the challenge for easyJet now was to make their customers feel safe.
“When the security notification first pops up, the procrastinators will forget about it, and think it won’t happen to them. However, when something like this occurs, the truth is that money can be stolen, and large amounts too," he said.
“For those people who have fallen victim to this attack, it would be a good idea to use the card monitoring service offered, or better still cancel the card that was used. Once card information like this is stolen, it’s a race against time for the criminals to start using it before the owner is notified and cancels it.”
Will EasyJet be fined?
Hackers have stepped up their efforts to target major companies and the data they hold on customers. British Airways was hit in 2018 with the theft of credit card details of hundreds of thousands of its customers.
Cathay Pacific Airways also disclosed that hackers accessed information on 9.4m customers in 2018, making it the world’s biggest airline data breach at the time.
A spokesman for the ICO said there was a “live” ongoing investigation regarding the breach.
“People have the right to expect that organisations will handle their personal information securely and responsibly,” the spokesman said. “When that doesn’t happen, we will investigate and take robust action where necessary.”
Regulators can fine companies up to 4pc of their annual revenue for serious breaches of GDPR rules.
EasyJet had revenues of £6.4bn last year, which could amount to a fine of £255m – considerably more than the record breaking £183m fine levied on British Airways in 2018. The airline declined to comment on the expectation of an ICO fine.
Technology law specialist at law firm Gordons Ryan Gracey said: "Aside from reputational damage, EU regulators have the power to issue significant fines for those firms who have their data breached.”
"The EasyJet breach comes at a time of unprecedented challenge for airline operators,” added James Castro-Edwards, a partner at law firm Wedlake Bell. The potential consequences of “enforcement action and any ensuing group litigation are catastrophic,” he added.
Regulators can levy fines worth up to 4pc of global revenue on companies culpable in significant breaches of data protection law.