easyJet has suffered a "sophisticated" cyberattack, which compromised 9 million customer records.
easyJet, an U.K. budget airline, admitted the breach in a statement. A forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed, says easyJet. According to the company, customers who were affected by the cyberattack have been contacted and offered support.
easyJet claims no passport details were stolen and that there is no evidence that the information stolen has been used for malicious purposes.
easyJet Chief Executive Officer Johan Lundgren said, "We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers' personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated. Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications."
Chris Morales, head of security analytics at Vectra, says this was most likely the compromise of a web facing application. "I’d say it was the travel booking system, which makes the most sense here. Considering the cost of plane tickets and all the fees they like to charge, there would be some good credit cards on file. I’m amused by the claim of a “highly sophisticated attacker” with no details explaining what that means. It is easy to call any attack that succeeds as highly sophisticated rather than say easy to compromise systems. If the attack was a web facing application, and the attacker used password compromise tricks or vulnerabilities in the system, then it is hardly advanced. That is quite normal for an attack.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, says “Another day, another major data breach. This time another airline with easyJet becoming the next victim of unauthorized access to approximately 9 million customers data such as contact and travel details including some customers credit card details. The airline industry is not a new target and in previous years cybercriminals have targeted multiple airline customers stealing sensitive data such as identity documents, credit cards details, travel itineraries and frequent travel."
The notice of the security incident includes common terms such as a "highly sophisticated source" though this all too often turns out to be overstated and until a proper digital forensics investigation is completed, such statements tend to attempt to downplay responsibility, says Carson. "The statement includes robust security measures in place though as always it only takes one click on a malicious email, a stolen credential or a misconfigured database that allows criminal attackers access to companies networks. The one concern to me is it appears that not all customers have been notified yet which means between now and proper notifications it is highly likely that their data could be abused unknowingly. This type of notification will also likely mean a large flood of inbound customer support calls that could overwhelm easyJet’s already stretched support team."
The notice of the security incident could do with improvements, however, "it is a good start and EasyJet do appear to be following an incident response plan. Any sensitive data should always be protected with strong encryption, multi-factor authentication (MFA)and strong privileged access security or reduce the risks from unauthorized access," adds Carson.