British low-cost airline easyJet has disclosed a security incident that potentially exposed information of 9 million customers.
Budget airline easyJet has revealed on Tuesday that it was a victim of a sophisticated cyber attack, which led to information of 9 million customers accessed by malicious parties. According to the airline’s released statement informing the general public of the incident, malicious actors accessed email addresses and travel details of 9 million customers. Passport information was not accessed, the airline has said. However, credit card details of 2,208 customers were potentially stolen.
According to the airline, no evidence has been found indicating that the accessed personal information has been misused. But following the advice of ICO, the company has started contacting affected people in order to minimize risk of potential phishing attacks against customers.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.”
It has not been revealed how the incident took place exactly but easyJet has said they took immediate actions to respond to the attack once it became clear what has happened. However, according to certain reports, the airline has been aware of the cyber attack since January but only in April has it started informing its customers.
“As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue,” the airline has said in their statement.
easyJet has said that customers whose credit card details were stolen have already been contacted. All other affected customers will receive notification by 26 May. The National Cyber Security Centre and the Information Commissioner’s Office (ICO) have both been informed of the attack. The company has apologized for the incident.
“We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.”
The breach means the airline could be facing substantial fines at a time when it’s already struggling financially due to the COVID-19 pandemic. With General Data Protection Regulation (GDPR) in effect, the company could be facing a fine of up to 4% of its annual revenue.
Regardless of whether customers have received communication about the breach from easyJet, they are advised to secure their accounts by changing passwords immediately.