Cybercriminals stole the personal details of 9 million customers, including 2,200 credit-card numbers, from British budget airline EasyJet, the airline disclosed today (May 19).
"The email address[es] and travel details of approximately 9 million customers were accessed" in "an attack from a highly sophisticated source," EasyJet said in an official statement (opens in new tab). "These affected customers will be contacted in the next few days," which the statement clarified would be by May 26.
- The best identity theft protection services: Keep your private data private
- What to do if your credit card is stolen
- Latest: Stimulus check 2020: What you need to know
"For a very small subset of customers (2,208), credit card details were accessed," the statement said. "Action has already been taken to contact all of these customers and they have been offered support."
Details about exactly what kind of credit-card information were compromised — such as 3- or 4-digit security codes — were not immediately available. But no passport numbers were compromised, the EasyJet statement said.
What kind of risks are EasyJet customers facing?
The affected EasyJet customers are not likely to be at increased risk of identity theft, but are likely to see much more spam and possibly an uptick in phishing attacks as a result of their email addresses becoming public.
"We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications," the EasyJet statement said. "We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays."
The Register (opens in new tab) found a couple of tweets dating from April 2 in which people reported receiving emails notifying them of an EasyJet data breach involving credit cards. The BBC (opens in new tab) reported that EasyJet learned of the breach in January and notified customers whose credit cards were compromised in early April.
If you've got an online account with EasyJet, it couldn't hurt to change the account password despite there being no indication that passwords were compromised. One of the best password managers might help with that.
And if you've been told by EasyJet that your credit card was compromised in this incident, check your recent statements and notify the card issuer immediately if you see anything amiss.
Fines or no fines?
EasyJet may be face huge fines if it is found to have inadequately protected customer personal data, as defined by European General Data Protection Regulation (GDPR). British Airways had to pay a $225 million fine to the U.K. Information Commissioner's Office for a 2018 data breach that affected 500,000 customers.
However, EasyJet may be let off the hook: Wired UK (opens in new tab) noticed that the ICO was telling complainants that it would not enforce data-protection regulations during the coronavirus crisis. The airline, which reportedly (opens in new tab) carried 28 million passengers in 2019, has been effectively grounded since the end of March (opens in new tab).