EasyJet has admitted that a “highly sophisticated cyber-attack” has affected nine million customers, according to reports. Apparently email addresses and travel details had been stolen and that 2,208 customers had also had their credit card details “accessed”.
In a statement EasyJet said: “We take issues of security extremely seriously and continue to invest to further enhance our security environment.
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
Sam Curry, chief security officer at Cybereason, commented on the breach, “Today, we rarely use the phrase “loose lips sink ships,” but after the reports of EasyJet’s breach surfaced, it is likely another example of “a loose click kills quick.” Also, if we’ve learned anything during the COVID-19 pandemic, it is that there is no honour among thieves, as not only have cyber attacks increased but so have their surgical like nature. Unfortunately, many of the industries most hurt by the world’s lockdown have suffered the most including the airline industry.
The vast majority of the nine million reported customers of EasyJet’s impacted by this breach have likely had their personal information stolen many times in the past, and that is the reality of a connected world. It is suggested that the customers stay on top of their credit reports, check their bank statements regularly and frequently update their login information to EasyJet’s website and other vendors they use. For EasyJet, they can come out of this either the hero or villain. They can’t be the victim. I suggest the hero by being open, honest and transparent about the remediation steps they are taking now and the preventative measures they are putting in place to reduce risk in the future.”
Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “While EasyJet has reported that there’s no evidence that the accessed data has been misused, no one can be certain that the data won’t be misused in the future. EasyJet has notified all affected customers about the breach and I would urge these customers to call their bank and credit card companies to find out what the next steps are to ensure their accounts are secure. This may require the cancellation and replacement of affected cards. Affected account passwords should also be changed immediately.
Changing passwords every now and then serves as a good precautionary habit to have. It is also important to understand that using the same password across several accounts is not a safe practice. Make sure to use a different password for each site and/or account you have.
As there are many services that use your name, address and a credit card number as proof of identification, be on the lookout for attempts at identity theft. Talk to your bank/credit card company to see if they can give you a list of all the occasions when attempts were made to use your credit card.”