An attack against British airline easyJet by “a highly sophisticated source” accessed the email addresses and travel details of approximately nine million customers, including credit card details of 2,208 customers.

The company did not reveal when it learned of the attack or what a forensic investigation revealed, nor did it specify the breach date. 

Although the airline alerted its impacted customers, its consumer-facing website buried the news of the breach within a press release dated May 19 on its corporate site. The first words of the release state the announcement was being made “following discussions with the ICO….”

“We take issues of security extremely seriously and continue to invest to further enhance our security environment,” the release stated.

After becoming aware of the attack, easyJet engaged leading forensic experts to investigate the issue, as well as notified the National Cyber Security Centre and the British government’s Information Commissioner’s Office (ICO).

EasyJet CEO Johan Lundgren apologized to customers affected by the incident. Noting the airline takes the cybersecurity “very seriously” and acknowledging the challenge of battling “ever more sophisticated” cyberattackers, Lundgren said a heightened concern about the use of personal data in online scams in the wake of the COVID-19 pandemic prompted the company to contact “those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

The attack prompted assessments by cybersecurity experts, many alluding to what’s missing from the disclosure and easyJet’s inherent vulnerability going forward.

“Nine million user records and just two million credit card details seem to be just a tiny percentage of the total number of easyJet customers,” commented Ilia Kolochenko, founder and CEO of ImmuniWeb.

The current information disclosure is insufficient to make definitive conclusions about the origins and potential consequences of the attack, Kolochenko said, adding it will likely be difficult to avoid financial penalties under the GDPR, but depending on the negligence involved in the cause of the incident, the fine may be rather nominal than exemplary punitive.

Tessian CEO Tim Sadler believes easyJet customers are now at greater risk of phishing scams following this cyberattack and should be wary of emails they receive purporting to come from the airline company. “[T]here’s no telling how much more damaging this cyber breach will be to easyJet’s future,” Sadler added.

Boris Cipot, senior sales engineer at Synopsys, advised impacted customers to change their passwords. “While easyJet has reported that there’s no evidence that the accessed data has been misused, no one can be certain that the data won’t be misused in the future,” Cipot said.

Even though at first glance, it appears that easyJet followed the correct procedures and informed all affected customers who have had their sensitive data compromised, Mark Bower, comforte AG senior vice president, believes the situation could have been avoided.

Bower said more precautions could have been taken by the airline to safeguard PII with more robust tokenization technology.

Brian Higgins, Comparitech security specialist, anticipates hackers will pile on the airline. “Once the attack is made public criminal organizations will immediately seek to take full advantage of the fear and uncertainty the 9 million customers of EasyJet are currently feeling and begin campaigns to exploit them,” he added.

The company’s general shareholder meeting is scheduled for May 22. By 5 pm London time on May 19 easyJet trading on OTCMKTS dipped slightly by 0.22%, closing at USD$6.80.