9 million EasyJet customers hit by data breach: What to do now

The EasyJet logo on the rudder of a large aircraft.
(Image credit: nitpicker/Shutterstock)

Cybercriminals stole the personal details of 9 million customers, including 2,200 credit-card numbers, from British budget airline EasyJet, the airline disclosed today (May 19).

"The email address[es] and travel details of approximately 9 million customers were accessed" in "an attack from a highly sophisticated source," EasyJet said in an official statement. "These affected customers will be contacted in the next few days," which the statement clarified would be by May 26.

"For a very small subset of customers (2,208), credit card details were accessed," the statement said. "Action has already been taken to contact all of these customers and they have been offered support."

Details about exactly what kind of credit-card information were compromised — such as 3- or 4-digit security codes — were not immediately available. But no passport numbers were compromised, the EasyJet statement said. 

What kind of risks are EasyJet customers facing?

The affected EasyJet customers are not likely to be at increased risk of identity theft, but are likely to see much more spam and possibly an uptick in phishing attacks as a result of their email addresses becoming public. 

"We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications," the EasyJet statement said. "We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays."

The Register found a couple of tweets dating from April 2 in which people reported receiving emails notifying them of an EasyJet data breach involving credit cards. The BBC reported that EasyJet learned of the breach in January and notified customers whose credit cards were compromised in early April.

If you've got an online account with EasyJet, it couldn't hurt to change the account password despite there being no indication that passwords were compromised. One of the best password managers might help with that.

And if you've been told by EasyJet that your credit card was compromised in this incident, check your recent statements and notify the card issuer immediately if you see anything amiss.

Fines or no fines?

EasyJet may be face huge fines if it is found to have inadequately protected customer personal data, as defined by European General Data Protection Regulation (GDPR). British Airways had to pay a $225 million fine to the U.K. Information Commissioner's Office for a 2018 data breach that affected 500,000 customers. 

However, EasyJet may be let off the hook: Wired UK noticed that the ICO was telling complainants that it would not enforce data-protection regulations during the coronavirus crisis. The airline, which reportedly carried 28 million passengers in 2019, has been effectively grounded since the end of March.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.