EasyJet Says Hackers Stole Data of 9 Million Customers

(Bloomberg) -- EasyJet Plc said email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest data breaches to hit the airline industry.

The intruders also accessed credit card details for 2,208 customers in the “highly sophisticated” attack, EasyJet said Tuesday in a statement. The airline said it’s closed off the unauthorized access, notified those whose credit-card information was exposed and will contact the rest of the customers over the next few days.

Cyber-attacks against businesses and their employees have surged this year as hackers take advantage of the disruption caused by the coronavirus pandemic. While the EasyJet breach was discovered in late January, predating the disease’s flare-up across Europe, the company is alerting those whose exposure was limited to email and travel details to guard against a rising number of so-called phishing attempts, a person familiar with the situation said.

Airlines have had several high-profile breaches in recent years. In 2018, Hong Kong’s Cathay Pacific Airways Ltd. disclosed that hackers accessed information on 9.4 million customers, making it the world’s biggest airline data breach at the time. That same year, hundreds of thousands of British Airways and Delta Air Lines Inc. customers had their information hacked.

“The EasyJet breach comes at a time of unprecedented challenge for airline operators,” said James Castro-Edwards, a partner at law firm Wedlake Bell. The potential consequences of enforcement action and any ensuing group litigation could be “catastrophic,” he added.

British Airways Fine

The U.K. fined British Airways, a unit of IAG SA, 183.4 million pounds ($224 million) over the hacking incidents, marking the first major British application of far-reaching European Union rules requiring companies to tighten anti-hacking measures.

Under the EU’s General Data Protection Regulation, companies can be penalized by as much as 4% of their global annual revenue, depending on the nature of the incident. For EasyJet, that would be as much as 255 million pounds ($312 million) if the “higher maximum” penalty were imposed by the U.K. Information Commissioner’s Office.

The ICO would investigate and take “robust action where necessary,” the agency said in the statement.

Attack Timeline

The Luton, England-based carrier reported the breach in January and has been working alongside the ICO and the U.K.’s National Cyber Security Centre, said the person, who asked not to be named discussing a confidential investigation. So far there is no indication that credit card information had been misused, the person said.

Passengers whose credit card details were stolen were informed in April and offered 12 months of free credit monitoring, according to an email sent to customers and seen by Bloomberg.

An influx of employees working from home has opened up new network vulnerabilities for many companies, and phishing emails purporting to be from trusted health agencies prey on employees looking for information.

Under GDPR, companies have an obligation to report personal data breaches to authorities within 72 hours where feasible. According to the regulation, companies must as soon as possible also alert individuals whose data has been compromised in cases where the breach poses a “high risk to rights and freedoms.”

While the U.K. has left the EU, GDPR rules would likely still apply, given the transition period under way and the low-cost carrier’s sizable business with countries and customers that remain within the bloc.

The NCSC confirmed it was working with EasyJet to investigate the hack. It recommended anyone with accounts that could have been compromised change passwords and “be especially vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information.”

Reuters reported earlier that the hackers were suspected to be Chinese and thought to be involved in similar attacks on other airline websites, citing people familiar with the investigation. EasyJet and the ICO declined to comment on the report.

Shareholder Showdown

Covid-19 has already forced EasyJet to ground planes and created the opening for a revolt by its founder and biggest shareholder, Stelios Haji-Ioannou. The International Air Transport Association estimates European carriers face a revenue loss of $89 billion in 2020.

EasyJet on May 22 will hold a shareholder meeting called by Haji-Ioannou, who wants to remove four directors including Chairman John Barton, Chief Executive Officer Johan Lundgren and Chief Financial Officer Andrew Findlay. He’s seeking to halt the carrier’s continued expansion plans.

EasyJet shares reversed earlier gains after the hack was disclosed, closing 0.8% lower at 547.20 pence in London.

©2020 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.