9 Million easyJet Records Breached: Change Your Password Now

Ideally, if a company suffers a data breach, it will simultaneously inform all affected customers personally and will also issue a public statement that explains in enough detail what has happened. Sadly, as easyJet demonstrated, events rarely unfold in this way.

Cybercriminals breach the data of 9 million easyJet customers

Yesterday, the budget airline issued a press release and put together an FAQ page to tell everybody that it had suffered a cyberattack. Apparently, "a highly sophisticated attacker" broke through easyJet's security and stole the names, email addresses, and travel data of around 9 million people. The cybercriminals also managed to make off with the credit card details of a little over 2 thousand travelers.

The people who had their financial information pilfered were notified about the breach back in April, and easyJet is currently in the process of getting in touch with the rest of the affected customers. In the statement, easyJet repeatedly said that passport information has not been affected and that the company takes cybersecurity very seriously. Quite a few questions remained unanswered, though.

easyJet wasn’t very keen on sharing details around the data breach

In its public disclosure, the airline failed to disclose some important details like, for example, when the breach took place, and sure enough, the media started asking questions pretty soon. easyJet has yet to mention an exact date, but it told the BBC that it "became aware of the attack in January."

A spokesperson said that after booting the hackers off, easyJet immediately informed the relevant authorities and started an investigation. Apparently, at first, the company had problems understanding the scope of the attack. This, the spokesperson said, is why it took close to three months for easyJet to start disclosing the breach to the people who had their financial information stolen. There's no word on what happens to any unauthorized transactions that might have occurred between January and April because of the attack.

Many unknowns remain around the data breach

easyJet's answers to the media leave us with the impression that the company had absolutely no plans of breaking the news at this point. It did it after the UK's Information Commissioner's Office (ICO) expressed concern about increased phishing activity in light of the current Covid-19 crisis. It certainly looks like easyJet is not completely aware of what's happened exactly.

For example, it told the BBC that the hackers were trying to steal intellectual data rather than customers' personal information. By contrast, Reuters sources close to the investigation say that the criminals were trying to steal the travel records of specific individuals. According to the same sources, the perpetrators are most likely Chinese, though it's unclear what this conclusion is based on.

The news of the data breach comes at a difficult time for easyJet. The financial losses caused by the coronavirus pandemic are going to be enormous, and the last thing the airline needs is potential fines from the ICO or the EU because of poor data processing. What's more, the erratic behavior in the aftermath of the breach could make some people a bit less comfortable when it comes to sharing their details with the company. Because there are so many unknowns, if you do have an easyJet account, you are advised to change your password. You can start by clicking here.