EasyJet executives have apologised to customers following a major data breach exposing both financial and personal information.

Reports by the low-cost airline enterprise indicate that sensitive details of over nine million customers were stolen using a “highly sophisticated” attack by cybercriminals. Personal email addresses and travel plans were accessed without authorization, along with payment card details, including the three-digit security codes (CVV) listed on the reverse side.

Crucial steps following a cyberattack

A spokesperson for easyJet announced that all passengers affected by the extensive data breach would be contacted. It confirmed that of the nine million customers affected, a total of 2,208 had their credit card information stolen, although no passport details were exposed during the cyberattack. Passengers with payment card details stolen were informed immediately, with the airline stating that others impacted by the attack would be notified by May 26.

Details of how the massive data leak occurred were not given instantly by easyJet, but it did state that security had been restored by closing off unauthorised access. It suggested that the company’s Intellectual Property had been the main target of attack, not passenger information for use in identity theft.

The airline also confirmed it had reported the breach to data regulators at the Information Commissioner’s Office (ICO) and experts of online attacks the National Cyber Security Centre (NCSC).

Johan Lundgren, chief executive at easyJet, said:

“We would like to apologise to those customers who have been affected by this incident. Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

The far-reaching financial impact of a cyberattack

The recent easyJet data breach is among the largest leaks to have affected an enterprise based in the UK, and could potentially result in the company being asked to pay a substantial fine. With many businesses operating in the airline industry already under extreme financial pressure due to the coronavirus pandemic restrictions on travel, such costs will be unwelcome at best.

Under the General Data Protection Regulation (GDPR), the powers granted to the ICO enabling it to issue fines have increased. Last year in July, British Airways was instructed to pay a fine of £183m following an attack by cybercriminals in 2018 that resulted in 500,000 customers personal information being stolen. That same month, the hospitality group Marriott incurred a £99.2 million fine after a data breach saw 339 million passengers across the world have their private details exposed.

Following its investigation, easyJet has commented that no evidence exists that the personal information stolen has been “misused.” The airline added that the ICO had recommended that it should contact every customer affected by the cyberattack due to the increased risks of fraud using phishing tactics.