It has been reported that hackers have accessed and stolen details of about 9 million customers of British airline easyJet. Approximately 2,208 easyJet customers have also had their credit card details accessed and stolen.
easyJet reported that it became aware of this “highly sophisticated” cyberattack in late January this year. After an investigation, the airline recently disclosed that the details accessed and stolen by the hackers included email addresses, travel information, and credit card data including CVV numbers.
While it doesn’t look like the personal information obtained by the hackers has been misused yet according to the airline, there is heightened concern over the information being used in online scams, such as phishing scams, during the current global pandemic. The information may also be used for credential stuffing attacks in the future.
This hack is currently being investigated by the UK’s Information Commissioner’s Office, and already is there is talk in the media of a significant, if not the highest to date, penalty possibly being imposed on easyJet. Under the EU’s General Data Protection Regulation, the maximum penalty for data breaches can reach an amount of €20 million or 4% of a company’s annual worldwide turnover, whichever is greater. As previously blogged, the UK intends to follow the GDPR during the transition period post-Brexit, after which the GDPR will be brought into UK law as the “UK GDPR“.
We’ve previously highlighted the need for individuals and organisations to remain vigilant and look out for phishing scams which are on the rise during the COVID-19 pandemic. Airlines may be largely out of action for the time being, but your security systems for protection of personal information shouldn’t be.