UK-based low-cost carrier easyJet has announced that it faced a cyberattack from a ‘highly sophisticated source’, which led to the data compromise of around nine million passengers.
The airline has stated that it took the necessary steps to manage the attack and forensic experts are investigating the issue.
The National Cyber Security Centre and Information Commissioner’s Office has also been notified of this attack and the unauthorised access has been closed.
EasyJet stated that it will contact all customers who have been affected by the cyberattack.
According to the forensic investigation, 2,208 customer credit card details were breached. The airline has initiated contact with the customers and has offered support.
Credit card and passport details of other passengers was not accessed.
In a statement, easyJet said: “There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.”
The airline plans to contact all customers by 26 May.
Comparitech.com security specialist Brian Higgins said: “Attacks like this have enormous, knock-on effects for the victims. Once the attack is made public, criminal organisations will immediately seek to take full advantage of the fear and uncertainty the nine million customers of easyJet are currently feeling and begin campaigns to exploit them.
“They will email, call on the telephone and make contact via social media channels. In fact they will use any and all methods to make contact, pretend to be easyJet and use that fear and uncertainty to make people reveal more of their personal information, login credentials and bank details in order to commit more crime.
“Any and all unsolicited contact from easyJet should be ignored, however difficult that may be. You should also check their official website or contact the Office of the Information Commissioner for advice. Never engage with any other offers of help. They will almost certainly cause you more harm.
“A company the size of easyJet should have a comprehensive incident response plan to deal with this attack. The coming days will show us if that is the case, although how they can assure their customers that ‘there is no evidence that any personal information of any nature has been misused’ shows a worrying naivety.
“This is the golden hour for cybercriminals. EasyJet customers have one line of defence right now. Ignore them.”