easyJet made an announcement to the Stock Exchange this morning to confirm that its computer systems have been hacked by “an attack from a highly sophisticated source.”
easyJet has reported itself to the Information Commissioners Office and can expect a very substantial fine, potentially over £100 million based on similar cases. British Airways was fined £184 million and Marriott £99 million for their data breaches in recent years, although neither company has yet exhausted the appeals process and paid up.
Luckily, the easyJet hack appears to be relatively modest in terms of what information was stolen.
Nine million sets of ’email addresses and travel details’ have been accessed. easyJet will be emailing impacted customers over the next few days.
Only 2,208 people have had their passport and credit card details compromised. These passengers have already been notified.
The biggest risk would appear to be from phishing scams. There is the potential to email the easyJet customer base with official-looking emails which would result in the recipient either making payment for a fictional service or supplying their credit card details in response to a request. One logical idea would be to email passengers to say that their flight had been cancelled and to request bank details for a refund payment.
easyJet CEO Johan Lundgren made a slightly confusing statement which appeared to suggest that it was only due to coronavirus that the company was bothering to report the theft to passengers:
“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.
“We would like to apologise to those customers who have been affected by this incident.”
It later became clear that easyJet was aware of the hack in January and had decided not to notify those involved until pressured by the ICO. This is likely to increase the fine it receives.