Budget airline easyJet was aware of the data breach, which revealed personal information of nine million customers and the credit card information of over 2,200 customers, in January.
News of the cyber attack broke yesterday, revealing that the attacker or attackers had access to the data of customers who booked flights from 17 October 2019 to 4 March 2020.
In a statement, the airline said: “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.
“There is no evidence that any personal information of any nature has been misused.”
However, while there is no evidence the data was misused, that does not mean that it cannot be misused. Experts suggest that personal information “drives a higher price on the dark web” – the area of the internet inaccessible by mainstream search engines – and could be used for organised crime or ransomed.
Two people with knowledge of the investigation have said that Chinese hackers are supposedly responsible for the hack based on similarities in hacking tools and techniques used in previous campaigns, but that has yet to be officially confirmed.
In a statement, the Information Commissioners' Office (ICO) said: “We have a live investigation into the cyber attack involving easyJet. People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”
Under GDPR legislation, the ICO can impose a fine of 4 per cent of easyJet’s turnover in 2019, which could amount to £255m. The average total cost of a data breach is approximately £3.2m.
Cyberattacks against airlines rose by 15,000 per cent between 2017 and 2018, and are lucrative targets not only for the amount of personal information they hold but also because, during the coronavirus pandemic, many companies have been focused on simply continuing to exist.
Airlines are also more likely to rely on older, legacy software which is more likely to be out of date and therefore exploitable, experts say.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies