Hackers accessed travel details about roughly 9 million people amid a data breach at EasyJet, the largest airline in the United Kingdom.
In a statement Tuesday, EasyJet said thieves had walked off with customer emails and travel information in what the company described as a “highly sophisticated cyber-attack,” without providing any details. Credit card information belonging to 2,208 customers also was compromised in the incident, the company said. Exactly when the breach occurred remains unclear, though the airline first learned of the incident in January, according to the BBC.
EasyJet alerted the U.K. Information Commissioner’s Office to the incident, as required under European data protection law. The General Data Protection Regulation requires breach victims to alert regulators within 72 hours under some conditions, such as when personal information is involved.
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with approximately nine million customers whose travel details were accessed to advise them of protective steps to minimize any risk of potential phishing,” EasyJet said in a statement.
Travel details and email information about so many people presents scammers with a valuable opportunity to commit fraud.
Some 37% of data breaches last year involved the use of credentials, according to Verizon’s Data Breach Investigations Report, an annual barometer of security trends. Scammers maintain databases of stolen email addresses and passwords, meaning attackers will be able to check lists of email addresses against existing cybercriminal resources to breach victims’ accounts. Stolen usernames and passwords were a more common hacking technique in 2019 than malicious software, Verizon found.
“I think people have lost sight of the value of their email,” Gabriel Bassett, senior information security data scientist at Verizon, told CyberScoop last week.
EasyJet customers now will be particularly vulnerable to phishing messages, as scammers will know if individuals were previously customers of the airline. Attackers also may have access to their travel details, and could include personal details taken from an individual’s previous trip itinerary to lure them into a trap.
Word of the breach comes less than a year after the U.K.’s ICO fined British Airways £183.39 million ($229.2 million) for failing to fix security vulnerabilities that hackers exploited to steal data about some 500,000 customers.