Not clear yet on whether CVVs and expiry dates have been accessed too
Budget British airline Easyjet has been hacked, it has told the stock markets, admitting nine million people’s details were accessed and more than 2,000 customers’ credit card details stolen.
Some information about the attack was released to the London Stock Exchange by the company, which claimed it had been targeted by “a highly sophisticated source”.
Email addresses and “travel details” of “approximately 9 million customers” were slurped by the unidentified hackers. Easyjet insists that the passport and credit card details of nearly all of those people were not affected.
However, 2,208 unlucky souls within the group did have their credit card details nabbed. Precisely which details – 16 digit card number, 3-digit CVV from the reverse, expiry date and so on – were not spelled out.
The Register has asked Easyjet for more information and will update this article when the company responds.
“As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. We also notified the National Cyber Security Centre and the ICO. We have closed off this unauthorised access,” said the airline in its statement.
Chief exec Johan Lundgren apologised for the failings of his airline’s “robust security measures,” saying: “We would like to apologise to those customers who have been affected by this incident.”
He added that “on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” saying the unlucky 9 million would be contacted by 26 May.
Professor Alan Woodward of the University of Surrey speculated about the digital breack-in: “So either credit card details [were] not encrypted or it’s Magecart again. Can’t see why they’d leave only 2,000 cards unencrypted, so suggests Magecart.”
Jake Moore of infosec biz Eset warned customers to take it seriously: “The biggest problem for EasyJet now is to get this information out to all their customers and make them safe. When the security notification first pops up in an email, the procrastinators out there will stick their heads back in the sand. However, when something like this occurs, the truth is that money can be stolen and large amounts too.”
Easyjet has been going through a torrid time, with the novel coronavirus forcing it to shut down flying operations completely as of 16 April. On top of that, founder and blocking minority shareholder Sir Stelios Haji-Ioannou has been engaged in a public campaign to stop its purchase of a new airliner from Franco-German manufacturer Airbus.
That campaign is due to come to a head at a corporate extraordinary general meeting this Friday, 22 May. Doubtless the news of the hack will energise Stelios even more in his campaign to unseat key current executives.