EasyJet data breach exposes personal information of 9 million customers

Airline company easyJet announced Tuesday that a recent data breach by a “highly sophisticated actor” had comprised the personal information of 9 million customers.

Hackers were able to access the email addresses and travel details of all 9 million, and more than 2,000 had their credit card information compromised. The airline said in a statement that the “unauthorized access” used by hackers to steal the data had been “closed off.”

EasyJet said it would notify all customers who had credit card numbers stolen by May 26 and advised all customers to be wary of malicious emails that might use stolen travel information to try to steal more data. It emphasized that there was no evidence that the stolen information had been “misused.”

The company, which is headquartered in the United Kingdom, notified the U.K.’s National Cyber Security Centre and the Information Commissioner’s Office (ICO) once it became aware of the breach, but it did not offer details on when the breach took place or how long it has known about the incident. 

Johan Lundgren, the CEO of easyJet, said in a statement Tuesday that the company “would like to apologize to those customers to have been affected by this incident.”

“We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information,” Lundgren said. “However, this is an evolving threat as cyber attackers get ever more sophisticated.”

He pointed to the coronavirus pandemic as a catalyst for hackers targeting personal information at a greater rate. 

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams,” Lundgren said. “Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.”

The hack comes a year after British Airways was fined millions of pounds by the ICO for a breach that involved hackers stealing the data of around 500,000 customers, according to the BBC.

The ICO also fined airline Cathay Pacific earlier this year for a data breach that involved passport numbers, expired credit card numbers and addresses of around 9.4 million customers.