Easyjet Suffers Fresh Blow After ‘Sophisticated’ Hackers Steal Personal Details Of 9 Million Passengers

Posted by Alex Morrison May 20, 2020
Easyjet

Ahead of a crunch Friday vote that pits budget airline Easyjet’s board against its founder, the company has seen its 2020 go from bad to worse after it was yesterday revealed hackers have stolen the personal details of 9 million customers. Credit card details, including CVV (card verification value) codes, were stolen from more than 2000 accounts.

The airline called the attack, which experts say used techniques and technologies associated with a group of Chinese hackers, “highly sophisticated”. 2 sources “familiar with the investigation”, told Reuters that the breach bore the hallmarks of a Chinese group that has targeted several airlines in recent months.

The motivation for the hack is presumed not to be the theft of credit card details for personal gain but travel records and other data that would provide information on the movements of specific individuals. Saher Naumaan, a threat intelligence analyst at BAE systems who has been involved in investigating similar attacks told Reuters:

“Interest in who is travelling on which routes can be valuable for counter-intelligence or other tracking of persons of interest.”

Easyjet has sent out a letter informing the 2208 customers whose credit card details, including security numbers and expiry dates, were also stolen along with their personal account information. The company said yesterday it has so far seen no evidence of the information being misused, which strengthens the case that those responsible for the hack had other motivations.

Easyjet’s chief executive Johan Lundgren, one of 4 board members founder Sir Stelios Haji-Ioannou, who still owns 35% of the company, is pushing investors to remove from their positions at a vote on Friday, commented on the breach:

“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyberattackers get ever more sophisticated. We would like to apologise to those customers who have been affected.”

The hack was shut down by closing off unauthorised access to Easyjet’s systems after it was discovered. The airline then reported the breach to the National Cyber Security Centre and the UK data regulator, the Information Commissioner’s Office (ICO). Easyjet’s internal investigation discovered hackers had been able to access customer data between October 17 2019 and March 4 this year. Almost 5 months.

Customers whose personal details but not credit card information were stolen are only now being notified, after ICO became concerned by growth in the number of online scams that have taken place during the Covid-19 lockdown. Easyjet has said all nine million individuals affected will be contacted by May 29 at the latest.

On potential misuse of the information acquired by the hackers, Cyberint cybersecurity researcher Jason Hill warned:

“While those affected will be contacted by Easyjet in due course, the exposure of email addresses and travel information could lead to convincing phishing campaigns masquerading as Easyjet or a partner organisation . . . Customers should be cautious of any Easyjet or travel-related email that requests personal or financial information.”

In addition to the negative PR, Easyjet may also now face a fine for failing to protect its customers’ personal data. The ICO has said BA will be fined a record £183 million for the 2018 hack that saw hackers access personal information, including bank details, on 500,000 customers.

Given the recent hit to its revenues and cash flows resulting from the Covid-19 pandemic, a large fine could potentially seriously threaten Easyjet’s financial position. That could potentially see the ICO adopt a less harsh approach than it did with BA. But that could open the regulator up to accusations of an uneven-handed approach.

No precise details on how the hackers managed to open up a backdoor into Easyjet’s systems are known but experts have speculated that the fact CVV numbers were stolen points to a “magecart” hack. That would represent the same technique as used in the BA hack and involves cybercriminals accessing a booking website and adding code that then captures customer details as they enter them in the payments page.

David Castaneda, CEO of Cybersecurity start-up Cybex commented:

“Companies falling foul to especially sophisticated cybersecurity attacks can be forgiven by their customers, who understand that sometimes even taking precautions and investing significantly into cybersecurity is not a 100% guarantee in today’s world. But if it turns out that the technique used was the same ‘magecart’ hack that BA fell foul to, questions will be asked why Easyjet did not address a known vulnerability”.

Disclaimer: The opinions expressed by our writers are their own and do not represent the views of Scommerce. The information provided on Scommerce is intended for informational purposes only. Scommerce is not liable for any financial losses incurred. Conduct your own research by contacting financial experts before making any investment decisions.

scommerce

Welcome! Get free access to EVERYTHING we publish…

Whether you are an investor, tech enthusiast, or entrepreneur we have something for you. You'll get our FREE weekly newsletter with latest news and information along with special offers. Please take time to read our privacy policy. The information you provide us will be processed in accordance with this.