EasyJet has become the latest airline to fall victim to a sophisticated cyberattack. These are the key questions.
What has happened?
Britain’s biggest budget airline says the details of nine million customers have been “accessed” by hackers in a major cyberattack.
The data accessed comprised details that you input when booking a flight or holiday, including name, email address, origin and destination, departure date, booking reference number and transaction amount.
The Information Commissioner has been told by easyJet that the credit card details of 2,208 passengers were also taken.
The airline says: “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.
“There is no evidence that any personal information of any nature has been misused.”
When did it happen?
It is thought the attacker had access to the data of customers who booked flights from 17 October to 4 March; this was the date of booking, not the date of travel.
The airline became aware of the data breach at the end of January.
A spokesperson said: “This was a sophisticated attacker and it took time to understand what information may have been accessed and to make sure they could not come back into the systems.
“As soon as we discovered it, we started an investigation and have closed off this unauthorised access.”
The passengers whose card details were accessed were told in April, and easyJet has provided credit and identity monitoring to ensure their accounts are safe.
The airline says it does not appear that anyone has suffered financial harm so far.
Why have we found out about it only now?
The Independent understands that easyJet was not obliged to contact passengers whose basic booking details were compromised.
But because of the increased incidence of phishing attempts that have occurred since the coronavirus outbreak began, it was thought appropriate to let them know in case they were targeted as a result of the information stolen during the hack.
The airline’s chief executive, Johan Lundgren, said: “Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.”
Did the hackers get passport details?
I have a booking with easyJet. What are the chances that my data may have been hacked, and when will I find out?
If you were one of the 90 million or so who booked with easyJet in the year to January 2020, the chance that you were hacked is about one in nine. If you are among the affected passengers, you can expect to be contacted by 26 May 2020.
The airline is telling passengers their travel details were accessed and advising them of steps to take to minimise the risk of “phishing”, in which emails are sent for the purposes of fraud.
What could happen to easyJet?
The GDPR rules that govern the storage of personal data say companies must deploy “appropriate technical and organisational measures to ensure a level of security appropriate to the risks”, with particular focus on “unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”.
The Information Commissioner can impose a fine of 4 per cent of easyJet’s turnover in 2019, which could amount to £255m. In practice it is likely to be far less. Cathay Pacific was recently fined £500,000 for a data breach involving 9.4 million passengers, though only 111,000 of them were British.
Didn’t British Airways get hit with a massive fine?
Yes, following a hack in the summer of 2018 in which cybercriminals stole payment card details from an estimated 500,000 passengers who bought flights online direct from the airline.
The personal data comprised the passenger’s name, travel plans, billing address, email address and payment card details, and the three-digit security code (“card verification value”, or CVV) from the back of the card.
British Airways was handed a fine of £183m, but the potential harm to passengers in that case was much greater than the easyJet hack.
Any tips for keeping my data safe?
You could take a wide range of precautions, including using a different email address for each airline that you book with. You might prefer to pay with a “burner” prepaid card, again used solely for flights with one airline.
Booking through an intermediary – typically an online travel agent – may add a layer of security, though it increases the number of organisations with access to your data.
The Money Saving Expert, Martin Lewis, adds: “Everyone should change your easyJet password and change the password on any site where you used the same password as you did with easyJet.”
Will this have any effect on easyJet returning cash to passengers whose flights have been cancelled?
No – though Gerard McCarthy tweeted: “Any chance the hackers can start processing our refunds then?”