Security

It wasn't just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims

Unsurpisingly budget airline goes cheap: No payout or credit monitoring

72 Got Tips?

Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline.

As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet about the hack until mid-May, though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack.

Today emails from the company began arriving with customers. One seen by The Register read:

Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020. Your passport and credit card details were not accessed, however information including where you were travelling from and to, your departure date, booking reference number, the booking date and the value of the booking were accessed.

We are very sorry this has happened.

It also warned victims to be on their guard against phishing attacks by miscreants using the stolen records, especially if any “unsolicited communications” arrived appearing to be from Easyjet or its package holidays arm.

Perhaps to avoid spam filters triggered by too many links, the message mentioned, but did not link to, a blog post from the Information Commissioner's Office titled, “Stay one step ahead of the scammers,” as well as one from the National Cyber Security Centre, published last year, headed: “Phishing attacks: dealing with suspicious emails and messages.”

There was no mention in the message to customers of compensation being paid as a result of the hack. Neither, when El Reg asked earlier this week, did Easyjet address the question of compo or credit monitoring services.

More woes, as Easyjet founder flounders

Separately, an Easyjet company general meeting held this morning to sack its CEO and key execs ended with company founder Stelios Haji-Ioannou being outvoted by his shareholders.

UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

READ MORE

Stelios wanted to replace them with people who would cancel a £4.5bn order for new Airbus aircraft, which he says is unnecessary spending at a critical moment. No new details about the hack were mentioned in news reports of the meeting.

Stelios did not take news of his loss well, issuing a statement [PDF] accusing Easyjet and Airbus of “voting fraud,” threatening to sue the Daily Telegraph for pouring scorn on his anti-Airbus campaign, and branding Airbus itself “the scoundrels”.

The Guardian reported Easyjet finance chief John Barton as saying: “The company has no right to unilaterally terminate the contract [with Airbus].

"The one-off costs associated with termination would be very material and taken with the future value of contract, termination would be hugely detrimental and seriously impact the company’s ability to operate as a low-cost airline.”

Easyjet's fleet has an average age, according to a planespotters' website, of just over eight years – relatively young in aviation terms – though some of its longest-serving aircraft are more than 15 years old. ®

Sign up to our NewsletterGet IT in your inbox daily

72 Comments

Keep Reading

Oh cool, tech service prices are plummeting. And by tech services, we mean botnet rentals and stolen credit cards

Supply and demand in action

Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed

Updated All together now: The hackers were 'highly sophisticated'

Equifax finally coughs up the money for its 2017 monster hack… to the banks for having to cancel your cards

What did happen to the $125 everyone was promised?

Apple's credit card caper probed over sexism claims – after women screwed over on limits

Blame the algorithms: It's the new 'dog ate my homework'

Now that's a bad trip: 880k credit cards 'likely' stolen by Orbitz hackers

And bad news for healthy types: Active.com thoroughly pwned, too

Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers' payment cards

Malware loaded onto more than 5k cash tills but pre-GDPR screw-up means retailer dodged bigger financial bullet

Who left a database of emails, credit cards, plain-text passwords, and more open to the web this week? Tech Data, come on down!

Business IT giant that services Apple, Cisco, and others, exposed 264GB of info

Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'

Updated Website taken down 'for the foreseeable future'

Malware again checks into Hyatt's hotels, again checks out months later with victims' credit cards

Hyatt grievance, see?

The End for Fin7: Feds cuff suspected super-crooks after $$$m stolen from 15m+ credit cards

Three alleged ringleaders nabbed in EU, indicted in US

Tech Resources

The Definitive Guide to Sharing Threat Intelligence

Sharing threat intelligence is gradually becoming an accepted component in information security defense but there are still ways we can gain more.

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

CrowdStrike Falcon Complete

Guidance for taking any organization to the highest level of endpoint protection regardless of internal resources.

10 Examples of Smarter Alerting

A guide for SRE, Dev and Ops teams who need to be proactive in finding problems before service is affected, without debilitating alert noise.