EasyJet admits it was aware of ‘highly sophisticated cyber attack’ that affected 9 million customers as early as January

Sources have said that Chinese hackers are responsible for the attack on the budget airline

Adam Smith
Wednesday 20 May 2020 08:14 EDT
Comments
Ground-stop: none of easyJet's 337 Airbus aircraft are flying commercially
Ground-stop: none of easyJet's 337 Airbus aircraft are flying commercially (Matt Carter/@matt_carter787)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Budget airline easyJet was aware of the data breach, which revealed personal information of nine million customers and the credit card information of over 2,200 customers, in January.

News of the cyber attack broke yesterday, revealing that the attacker or attackers had access to the data of customers who booked flights from 17 October 2019 to 4 March 2020.

In a statement, the airline said: “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.

“There is no evidence that any personal information of any nature has been misused.”

However, while there is no evidence the data was misused, that does not mean that it cannot be misused. Experts suggest that personal information “drives a higher price on the dark web” – the area of the internet inaccessible by mainstream search engines – and could be used for organised crime or ransomed.

Two people with knowledge of the investigation have said that Chinese hackers are supposedly responsible for the hack based on similarities in hacking tools and techniques used in previous campaigns, but that has yet to be officially confirmed.

In a statement, the Information Commissioners' Office (ICO) said: “We have a live investigation into the cyber attack involving easyJet. People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”

Under GDPR legislation, the ICO can impose a fine of 4 per cent of easyJet’s turnover in 2019, which could amount to £255m. The average total cost of a data breach is approximately £3.2m.

Cyberattacks against airlines rose by 15,000 per cent between 2017 and 2018, and are lucrative targets not only for the amount of personal information they hold but also because, during the coronavirus pandemic, many companies have been focused on simply continuing to exist.

Airlines are also more likely to rely on older, legacy software which is more likely to be out of date and therefore exploitable, experts say.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in