Updated Budget British airline Easyjet has been hacked, it has told the stock markets, admitting nine million people's details were accessed and more than 2,000 customers' credit card details stolen.
Some information about the attack was released to the London Stock Exchange by the company, which claimed it had been targeted by "a highly sophisticated source".
Email addresses and "travel details" of "approximately 9 million customers" were slurped by the unidentified hackers. Easyjet insists that the passport and credit card details of nearly all of those people were not affected.
However, 2,208 unlucky souls within the group did have their credit card details nabbed. Precisely which details – 16 digit card number, 3-digit CVV from the reverse, expiry date and so on – were not spelled out.
Twitter activity dating back to the first few days of April, however, shows Easyjet customers asking the airline whether notification emails were real:
@easyJet just had an email detailing a possible incident regarding the hacking of your systems and possible security breach, including card details, can you confirm if this is a genuine email? thanks— JohnnyB (@JohnPaulBentley) April 2, 2020
The latter tweet shows a screen of what appears to be an Easyjet email explaining that “name, travel destination, email address, and credit cards details [sic]” were accessed in the hack earlier this year.
People who think they might have been affected could do worse than change online passwords used for Easyjet services, as well as changing the same password that they’ve used on other websites. Keeping a close eye on online banking activity for any unusual transactions is also wise.
The Register has asked Easyjet for more information and will update this article when the company responds.
"As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. We also notified the National Cyber Security Centre and the ICO. We have closed off this unauthorised access," said the airline in its statement.
Chief exec Johan Lundgren apologised for the failings of his airline's "robust security measures," saying: "We would like to apologise to those customers who have been affected by this incident."
He added that "on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing," saying the unlucky 9 million would be contacted by 26 May.
Professor Alan Woodward of the University of Surrey speculated about the digital break-in: "So either credit card details [were] not encrypted or it's Magecart again. Can't see why they'd leave only 2,000 cards unencrypted, so suggests Magecart."
Jake Moore of infosec biz Eset warned customers to take it seriously: "The biggest problem for EasyJet now is to get this information out to all their customers and make them safe. When the security notification first pops up in an email, the procrastinators out there will stick their heads back in the sand. However, when something like this occurs, the truth is that money can be stolen and large amounts too."
Easyjet has been going through a torrid time, with the novel coronavirus forcing it to shut down flying operations completely as of 16 April. On top of that, founder and blocking minority shareholder Sir Stelios Haji-Ioannou has been engaged in a public campaign to stop its purchase of a new airliner from Franco-German manufacturer Airbus.
That campaign is due to come to a head at a corporate extraordinary general meeting this Friday, 22 May. Doubtless the news of the hack will energise Stelios even more in his campaign to unseat key current executives. ®
Updated at 13:50 on 19 May to add:
The Information Commissioner’s Office said in a prepared statement that it has “a live investigation into the cyber attack involving easyJet” but did not answer questions about when Easyjet notified it of the hack. The agency has previously said it will not be enforcing data protection or freedom of information laws during the coronavirus pandemic, something noticed by Wired magazine today.