Maximise your Avios, air miles and hotel points

easyJet hacked – 9 million customer accounts accessed

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

easyJet made an announcement to the Stock Exchange this morning to confirm that its computer systems have been hacked by “an attack from a highly sophisticated source.”

easyJet has reported itself to the Information Commissioners Office and can expect a very substantial fine, potentially over £100 million based on similar cases.  British Airways was fined £184 million and Marriott £99 million for their data breaches in recent years, although neither company has yet exhausted the appeals process and paid up.

Luckily, the easyJet hack appears to be relatively modest in terms of what information was stolen.

Nine million sets of ’email addresses and travel details’ have been accessed.  easyJet will be emailing impacted customers over the next few days.

Only 2,208 people have had their passport and credit card details compromised.  These passengers have already been notified.

easyjet hacked with 9 million customers affected

The biggest risk would appear to be from phishing scams.  There is the potential to email the easyJet customer base with official-looking emails which would result in the recipient either making payment for a fictional service or supplying their credit card details in response to a request.  One logical idea would be to email passengers to say that their flight had been cancelled and to request bank details for a refund payment.

easyJet CEO Johan Lundgren made a slightly confusing statement which appeared to suggest that it was only due to coronavirus that the company was bothering to report the theft to passengers:

“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.  As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.

“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.

“We would like to apologise to those customers who have been affected by this incident.”

It later became clear that easyJet was aware of the hack in January and had decided not to notify those involved until pressured by the ICO.  This is likely to increase the fine it receives.

Comments (43)

  • Bob says:

    With the BA data breach I had to cancel two credit cards with all the inconvinience as I was abroad. As much as I like BA they were not willing to give any type of inconvinience factor and were quite dismissive of my objections.
    First flight with Easyjet in eight years and now this. Curios if credit card fraud as a result of the breach woud be covered by Section 75 of Consumer Credit Act or as you are notified more of Caveat Emptor!
    I think this ‘issue’ layered into their reluctance to pay cash back on cancellations will stretch consumers patience and their viability.

    • Peter King says:

      You didn’t have to cancel any cards, you chose too.

      • J says:

        I never bothered cancelling any cards… Check the Amex app most days to keep an eye on stuff anyway, not worth stressing out too much over in my opinion. (Although if I’d paid on a debit card I wouldn’t be so relaxed and I’d be cancelling cards etc).

  • Lady London says:

    I believe the much-publicised “headline fines” (airline hangs its head in shame swearing they did / will do the right thing, and regulator gets to proclaim a success) are negotiated down after all the big announcements that is something much smaller that the airline pays.

    • EwanG says:

      There are discounts for co-operation, meeting the other obligations under the act (such as reporting the breach within timescales). Such discounting happens with other regulators too.

      Of course if they still don’t agree they can appeal the fine.

  • AndyGWP says:

    Note – the scale of the attack doesn’t mean the fine will correlate accordingly, nor might it necessarily be substantial

    If it truly was highly sophisticated (as opposed to Marriott and BAs which were due to significant negligence), then they may not get fined at all

    There’s been many white papers highlighting that a system being hacked is a matter of when, not if, and this is taken into account by the ICO

    • Mr(s) Entitled says:

      100% this. I’m not sure why everyone feels the need to jump on the blame wagon with so little detail public. Not everything has to be someone’s fault. It is possible to be both diligent and hacked at the same time.

      • Aliks says:

        Its all about single points of failure. Diligence is one thing, but mistakes and errors can always let you down, so the aim is to make sure no single security flaw risks leakage of thousands of clients’ data.

        The CEO statement refers to a “highly sophisticated” attack, but I doubt this, as the only material leaked appears to be a simple database dump. If the attackers were sophisticated they would have targeted much more valuable data. The CEO is trying to imply that the attackers were so devilishly clever that no simple airline could hope to defend themselves. The reality is likely to be low budgets for security, resulting in poor application design, poor security infrastructure, and weak controls over internal users. Sadly they are not the only company in this category, and the only cure is big fines for security breaches.

        • AndyGWP says:

          I don’t think anyone disagrees with what you say.

          The point was, you can’t make any assumptions (they haven’t mentioned their financial information being taken but they don’t need to)

          You can’t compare like for like, and as an organisation I wouldn’t be giving away all the in’s and out’s as to what or how things happened in a press release 🙂

  • Concerto says:

    I must say my easy.com email address was one of the worst I ever had. Towards the end, mostly inaccessible because of “hacking”, and then my address was hacked resulting in me getting lots of threatening emails displaying my password in the subject line. Luckily I used it for airline and hotel newsletters only! I have never liked this orange Easy empire and never will. They belong with anything to do with trash, which also uses the bright orange colour.

  • KD says:

    I Usually get my annual email from EasyJet this month about being admitted to the flight club for another year, I hope I have requalified, best free perks you can get these days.