easyJet hacked – 9 million customer accounts accessed

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

easyJet made an announcement to the Stock Exchange this morning to confirm that its computer systems have been hacked by “an attack from a highly sophisticated source.”

easyJet has reported itself to the Information Commissioners Office and can expect a very substantial fine, potentially over £100 million based on similar cases.  British Airways was fined £184 million and Marriott £99 million for their data breaches in recent years, although neither company has yet exhausted the appeals process and paid up.

Luckily, the easyJet hack appears to be relatively modest in terms of what information was stolen.

Nine million sets of ’email addresses and travel details’ have been accessed.  easyJet will be emailing impacted customers over the next few days.

Only 2,208 people have had their passport and credit card details compromised.  These passengers have already been notified.

easyjet hacked with 9 million customers affected

The biggest risk would appear to be from phishing scams.  There is the potential to email the easyJet customer base with official-looking emails which would result in the recipient either making payment for a fictional service or supplying their credit card details in response to a request.  One logical idea would be to email passengers to say that their flight had been cancelled and to request bank details for a refund payment.

easyJet CEO Johan Lundgren made a slightly confusing statement which appeared to suggest that it was only due to coronavirus that the company was bothering to report the theft to passengers:

“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.  As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.

“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.

“We would like to apologise to those customers who have been affected by this incident.”

It later became clear that easyJet was aware of the hack in January and had decided not to notify those involved until pressured by the ICO.  This is likely to increase the fine it receives.

'My Favourite Hotel' review - Hotel Du Lac, Lake Como
Get a 60% bonus when you buy Marriott Bonvoy hotel points - best deal ever offered

Click here to join the 15,000 people on our email list and receive the latest Avios, miles and points news by 6am.

Amazon ad
EXCLUSIVE HFP READER OFFER FOR SME's!
Get points worth 15,000 Avios as a sign-up bonus!
OFFER ENDS 13th JULY
15,000 Avios with Capital on Tap Mastercard
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. BSI1978 says:

    Picking up on your thread Rob as to why the CEO made the announcement, I would be interested to understand when this hack actually happened. Isn’t the EGM this week….?

    Really hope they haven’t simply felt compelled to make the announcement because of that / Stelios agitating in the background…..

    • Simon says:

      Doubt it. ICO requires you to tell people whose information is taken “without undue delay”, as soon as you do that you have to assume that it’ll get to the press, so you need to do proactive comms at the same time.

    • EwanG says:

      BBC reporting that easyJet first became aware of this in January. As they would have to report this to their supervisory authority within 72 hours, and in the same timescales (but presumably not done) to data subjects if there is high risk of adversity (which there will be for at least the 2,208) then the big question from me is why it has taken a further 4 months for this to become public…. Their other goings on wouldn’t be a suitable reason for delay.

    • Yes the EGM is on Friday. This detail is included in the Sky News report of the cyberhack. Intriguingly Sky also reported that Stelios has offered a £5m reward to anyone who is able to provide information that leads to the £4.5bn deal for new Airbus planes being cancelled!

      Also The Guardian is reporting that the ICO recommended EasyJet contact all customers because of an increased risk of phishing fraud. The 2,208 customers who had their credit card details stolen have apparently already been contacted. That suggests that EasyJet didn’t really want to let anyone else know about the cyberhack and would not have done so had the ICO not suggested it do so.

      • Remember that Airbus has just paid a multi-billion Euro fine for systematic bribery over decades. Stelios thinks someone as easyJet was on the take. If there is any proof, the aircraft order can be cancelled.

  2. ian_h says:

    I hope this isn’t some criminal network attempting to find a smoking gun and claim a £5m bounty from Stelios!

  3. insider says:

    For reference, the BA attack harvested about 500k user details including CC numbers, but not travel details. Will be interesting to see how the ICO size the fines

    • Big Dave says:

      The BA attack was different – it was a ‘man in the middle attack’ someone got in and changed the code that processes the customer details leaking the CC info out.
      The EZY breach seems to be a database dump – leaked or hacked.
      You usually only realise its happened when you see it for sale on the darkweb or are blackmailed about it, once the trading/blackmail value drops it gets dumped for all to see as it has no value to the black market anymore..

  4. Any guess on what is special about the 2,208? Easyjet plus members?

    • Gumshoe says:

      Presumably people who’d recently made a payment, given that EZY shouldn’t otherwise have a record of their CC details?

    • 2208 is the 11th Keith number.

      it’s also an product of;

      (Prime(n)-1)*(Prime(n)+1)

      in this case the prime number(n) being 47

      Perhaps we are looking for hackers with a keen interest in number theory.

  5. Rob
    A while back you mentioned doing a follow up article re the BA data breach and joining the class action. Did you ever progress this. Whilst haven’t signed up yet, their appalling behavior in refunding passengers flights no longer makes me feel sorry for them in this.

    • No, we weren’t able to progress it enough to the level I would want before suggesting readers jump in. Question is whether there will be time before the cut-off date comes around.

    • Pablo says:

      Consider yourself lucky that you are not due any refunds from Lufthansa or Aegean. BA are saints compared with other airlines.

  6. Interesting that they managed to notify over 2000 people and keep this under wraps.

    I think any potential fine will be rescued given the state of the airline industry. The ICO haven’t yet followed through on their intention to fine BA and I fully expect a massively reduced fine if anything.

    Would a £100m fine be the end of easyJet?

    • BSI1978 says:

      How does their having accessed the Govt. bailout fund square with their being aware of a potential issue which could lead to significant liability? I am guessing here but presumably EJ would have had to make some form of declaration or provide any undertaking that there wasn’t anything in the background which could, subsequently impact their financial standing/position whether negatively or positively.

      • Unless the government was being very canny; they loan EJ £600m and get £700m back courtesy of the data breach fine. If they didn’t loan EJ anything EJ goes to the wall and the Govt wouldn’t get even £100m from the data breach.

    • Loose change for easyJet.

      • Steve says:

        If they have loose change, they can pay my refund, as well as everyone else.

    • BrightonReader says:

      Not everyone runs to the press when stuff happens to them.

      The ICO will assess the fins based on the individual data breaches and the harm caused as well as the cause of the breach and how easyJet dealt with it.

      And that is all they will assess it on as the fine is then based on a maximum of 4% of global turnover and they don’t take other factors into account..

      Part of the reason why the proposed BA fine is so high is that they basically denied being at fault even though their poor controls let the hackers in and let them in for a long period.

      • Flyertalk has a story about an American woman who is suing Aer Lingus for being dragged out of the toilet while the plane was waiting to depart 😂

  7. “Every business must continue to stay agile to stay ahead of the threat”

    eh – how can you “stay ahead” when this breach is evidence that you are currently *behind* ?!

  8. They must have replied to that email bailout offer from a Nigerian prince.

    • haha! Actually I am surprised no one has thought to send a bailout request like that to the government seeing as they’re giving money away….. 😉 (tongue firmly in cheek in case anyone thinks I am serious)

  9. With the BA data breach I had to cancel two credit cards with all the inconvinience as I was abroad. As much as I like BA they were not willing to give any type of inconvinience factor and were quite dismissive of my objections.
    First flight with Easyjet in eight years and now this. Curios if credit card fraud as a result of the breach woud be covered by Section 75 of Consumer Credit Act or as you are notified more of Caveat Emptor!
    I think this ‘issue’ layered into their reluctance to pay cash back on cancellations will stretch consumers patience and their viability.

    • Peter King says:

      You didn’t have to cancel any cards, you chose too.

      • I never bothered cancelling any cards… Check the Amex app most days to keep an eye on stuff anyway, not worth stressing out too much over in my opinion. (Although if I’d paid on a debit card I wouldn’t be so relaxed and I’d be cancelling cards etc).

  10. Lady London says:

    I believe the much-publicised “headline fines” (airline hangs its head in shame swearing they did / will do the right thing, and regulator gets to proclaim a success) are negotiated down after all the big announcements that is something much smaller that the airline pays.

    • EwanG says:

      There are discounts for co-operation, meeting the other obligations under the act (such as reporting the breach within timescales). Such discounting happens with other regulators too.

      Of course if they still don’t agree they can appeal the fine.

  11. AndyGWP says:

    Note – the scale of the attack doesn’t mean the fine will correlate accordingly, nor might it necessarily be substantial

    If it truly was highly sophisticated (as opposed to Marriott and BAs which were due to significant negligence), then they may not get fined at all

    There’s been many white papers highlighting that a system being hacked is a matter of when, not if, and this is taken into account by the ICO

    • Mr(s) Entitled says:

      100% this. I’m not sure why everyone feels the need to jump on the blame wagon with so little detail public. Not everything has to be someone’s fault. It is possible to be both diligent and hacked at the same time.

      • Aliks says:

        Its all about single points of failure. Diligence is one thing, but mistakes and errors can always let you down, so the aim is to make sure no single security flaw risks leakage of thousands of clients’ data.

        The CEO statement refers to a “highly sophisticated” attack, but I doubt this, as the only material leaked appears to be a simple database dump. If the attackers were sophisticated they would have targeted much more valuable data. The CEO is trying to imply that the attackers were so devilishly clever that no simple airline could hope to defend themselves. The reality is likely to be low budgets for security, resulting in poor application design, poor security infrastructure, and weak controls over internal users. Sadly they are not the only company in this category, and the only cure is big fines for security breaches.

        • AndyGWP says:

          I don’t think anyone disagrees with what you say.

          The point was, you can’t make any assumptions (they haven’t mentioned their financial information being taken but they don’t need to)

          You can’t compare like for like, and as an organisation I wouldn’t be giving away all the in’s and out’s as to what or how things happened in a press release 🙂

Please click here to read our data protection policy before submitting your comment.