EasyJet, like many other airlines, is a struggling business with the COVID-19 pandemic preventing anyone from flying. But now the company has suffered a huge cyberattack in which the email addresses and flight details of 9 million customers were put at risk. 

Worse, over 2,200 people’s credit card details were stolen. EasyJet revealed the embarrassing breach on Tuesday 19 May and has contacted all customers whose card details were exposed. Other customers will be contacted by 26 May, but no passport information was acquired by the attackers.

The company hasn’t explained exactly how the details were stolen, only saying that it was a “highly sophisticated cyber-attack” and that it has now “closed off this unauthorised access” to prevent further breaches.

GDPR rules state that companies are responsible for handling customer data securely, and the fines for failing to do this can be huge. Only last year, British Airways was fined £183m after half a million customers’ details were stolen.

EasyJet hack: what to do if you’re affected

  • Contact your card provider and explain the situation
  • Watch out for emails asking for personal information

If your card details are ever exposed in an online data breach, you should contact the card issuer and explain what’s happened. You should also monitor your account for any fraudulent activity, and report it to the card issuer.

EasyJet said in a statement that “There is no evidence that any personal information of any nature has been misused” but it’s only a matter of time before those details are sold on the dark web to the highest bidder.

All affected customers should watch out for phishing attacks, which are already happening at a frightening rate due to COVID-19. 

Security experts are already warning of the dangers to EasyJet customers. Tim Sadler, CEO of Tessian said, “EasyJet customers are now at greater risk of phishing scams following this cyberattack, and people need to be wary of emails they receive purporting to come from the airline company. Always check the sender name and email address match up and if you're being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website.

"Unfortunately, it was only a matter of time before a cyber attack of this scale crippled a large organisation, and the attack should act as a warning to all organisations that no one is safe from a severe breach of data. Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we've seen a huge increase in the number of cyber attacks and scams during this time.”

David Emm, principal security researcher at Kaspersky, said, “This breach affects a large number of people and, while it’s good to see that customer passwords have not been compromised, the data that has been stolen – including e-mail addresses, credit card details and customer travel details – will offer plenty of grist to the cybercriminals’ mill.  Anyone affected by the breach should be especially cautious about responding to unsolicited messages, since it’s likely that criminals will exploit the situation to send out phishing messages offering ‘too good to be true’ offers. They should also check their bank accounts regularly for any suspicious activity.

“We would recommend that everyone protects their devices with robust security protection, and applies operating system and application updates as soon as they become available. We would also urge people to use unique, complex passwords for all their online accounts and take advantage of two-factor or two-step authentication where a provider offers this.”

For more, see how to avoid phishing scams