Budget airline EasyJet has admitted being hit by a cyberattack that left the details of up to nine million customers at risk.
The “highly sophisticated cyber-attack” saw EasyJet customer email addresses and travel details stolen over an undisclosed period of time.
The airline also says that the credit card details of 2,208 customers had been “accessed”, but could not confirm if this information had been used maliciously yet.
According to the BBC, the attack was first detected in January, with EasyJet contacting users whose card details had been stolen in April.
“We take issues of security extremely seriously and continue to invest to further enhance our security environment,” EasyJet said in a statement, adding that it had informed the UK’s Information Commissioner’s Office (ICO) of the breach as it continues its investigation.
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
The airline noted that it was now in the process of contacting all nine million affected customers, warning them to watch for potential phishing attacks.
“There is enough personal information in the stolen records to make those people targets for identity theft and fraud,” noted Check Point’s UK regional director Andy Wright.
“Hackers are likely to trade the stolen data as well as trying to trick customers into revealing further personal details using targeted phishing emails.
“It’s just a numbers game for hackers, as they can easily send tens of thousands of emails in the hope of tricking a handful of customers. Customers affected should be suspicious of any emails or even phone calls that relate to the breach, no matter how plausible, and should not give away more personal information. They should also be vigilant for suspicious credit-card transactions.”
EasyJet could face significant punishment from the ICO if found to not have protected its customers properly. A similar breach in 2018 that saw the details of more than half a million British Airways customers saw the airline fined £183m by the regulator.