UK low-cost airline EasyJet just announced it was the target of a highly sophisticated cyber-attack that exposed personal details of 9 million customers.
“Following discussions with the Information Commissioner’s Office (“ICO”), the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source,” the company said in cyber security incident notice on May 19.
“As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue,” the company said.
EasyJet’s forensic investigation also discovered that 2,208 customers also had their credit card details stolen.
“Action has already been taken to contact all of these customers and they have been offered support,” the company added, while the remaining affected passengers will be contacted by May 26.
Even if no passport details were accessed or stolen, bad actors could still use the personal details of affected customers in targeted phishing campaigns to gain additional information and financial details.
No more information on how the data breach happened was provided, but the airline said it had “closed off this unauthorised access” and reported the incident to the National Cyber Security Centre and the ICO.
While “there is no evidence that any personal information of any nature has been misused,” the airline is advising customers to be alert and “cautious of any communications purporting to come from easyJet or easyJet Holidays.”
Considering the financial strain brought by the coronavirus pandemic and grounded aircrafts, the company could also face fines exceeding £150 million, and even lawsuits that could further hit the company’s assets.
“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data,” said easyJet Chief Executive Officer Johan Lundgren.