EasyJet Admits Cyber-attack With Nine Million Customer Details Stolen

EasyJet has admitted to being hacked in January 2020 with 9 million customer details being stolen in the cyberattack.

What happened?

The Luton-based budget airline discovered a ‘highly sophisticated cyber-attack ’ back in January 2020, which affected nine million customers.

EasyJet informed customers of the breach once an investigation had been conducted. The investigation was to ascertain whose details had been targeted, what information had been accessed and to identify individuals who were impacted by the attack.

Customers who have been identified as being impacted by the attack have been told that the personal information that was stolen includes-

  • Names
  • Email addresses
  • Airport destinations (and origin)
  • Dates of travel
  • Booking reference number
  • Cost of transaction

Of the nine million individuals affected, 2,208 of those customers have also had their credit card details accessed, including the CVV (Card Verification Value) security number, and those victims were informed by easyJet in April.

EasyJet has informed the UK’s ICO (the Information Commissioners Office) and has released a statement, also stating that any customers affected will be contacted no later than 26th May. If you don’t receive any communication from easyJet, it means you have not been affected.

The company has also stated that its investigation shows no evidence that the stolen personal information has been misused in any way but ask customers to remain vigilant.

EasyJet statement

The CEO of easyJet, Johan Lundgren, also issued an apology to customers, stating:

"We would like to apologise to those customers who have been affected by this incident. Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.

The company also issued a statement on Twitter.

Easyjet is not the only company that has suffered a large data breach. Virgin Media suffered a large breach between April 2019 and March 2020.

Data breaches, either through incompetence by a company or through a data hack are becoming more frequent. In 2019, there were 3,800 publicly disclosed data breaches worldwide, with 4.1 billion records being exposed. This is a 54% increase from 2018.

Ensuring you continuously check your information is safe is vital in today’s environment, including on the Dark Web.

What you can do

Obviously, this breach comes at a time when most of us are very aware of online and phone scams due to the Coronavirus pandemic.

Be aware of ‘phishing ’ which involves criminals emailing an individual with an authentic-looking email from a reputable company (such as easyJet in this case) and asks the customer to click a link. Once the customer obliges, they are taken to another website, cleverly designed to look exactly like the official one and from there, the customer may be asked to re-enter certain details, such as names, credit card details, passwords, etc. to ‘confirm who they are’. Customers may be asked to hand over money too.

No reputable company would ever ask you to confirm such details and certainly not via email.

Recommended steps to take, where possible and if applicable, include:

  • Using a mix of CyberCareDNA and McAfee , which has 50% discount with a Notty Account, will help protect you and also keep you updated on all the latest phishing scams
  • Update your password for your easyJet account (and other accounts if you use the same password ). Use a strong password, as long as possible, using upper and lower case letters, numbers and special characters
  • Consider cancelling the credit/debit card associated with the account
  • Regularly check bank statements and credit reports to see if there is any unusual activity
  • Be aware of fake emails and phishing scams where you are asked to give your details, regardless of how ‘real’ it looks. Contact the company for verification if you need to, but not by using the suspicious link!
  • If your bank calls explaining they have seen unusual activity and ask you to confirm certain details, end the call and ring them back on the official contact number (be wary of a number given out on a call, it could take you to a ‘fake office’). If the initial call was genuine, they will understand this.

Easyjet is not the only company that has suffered a large data breach. Virgin Media suffered a large breach between April 2019 and March 2020.

Report anything suspicious to ActionFraud , the National Fraud and Cyber Crime Reporting Centre. This is available for anyone, individuals, businesses and even witnesses.