The Luton-based carrier said the figure includes 2,208 customers who had their credit card details exposed but there is no evidence that the data has been “misused”.
“There is no evidence that any personal information of any nature has been misused, however ... we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” the airline said in a statement.
“We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.
“EasyJet is in the process of contacting the relevant customers directly and affected customers will be notified no later than 26 May.”
The airline added that it is working with the Information Commissioner’s Office (ICO) and National Cyber Security Centre to get to the bottom of the attack.
Those whose credit card details were accessed should already have been contacted by the airline, while anyone else affected will be contacted within a week.
In the meantime, easyJet is advising customers to be “extra vigilant, particularly if they receive unsolicited communications” in case the hackers use the stolen details for phishing scams.
CEO Johan Lundgren added that easyJet, like other businesses, must “stay agile to stay ahead of the threat”.
He said: “Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.”
Ryan Gracey, solicitor and technology law specialist at law firm Gordons, called the attack “significant”.
“The General Data Protection Regulation makes it clear that organisations must be accountable for the personal data they hold,” he said. “This includes ensuring proper technical and organisational measures are in place to protect personal data against unauthorised or unlawful access and disclosure.
“Aside from reputational damage, EU regulators have the power to issue significant fines for those firms who have their data breached.”
Ray Walsh, digital privacy expert at ProPrivacy.com, advised all easyJet customers to be cautious.
“Anybody who has ever purchased an easyJet flight is advised to be extremely wary when opening emails from now on,” he said. “Phishing emails that leverage data stolen during the attack could be used as an attack vector at any point in the future. As a result, it is important for consumers to be vigilant whenever they receive unsolicited emails or emails that appear to be from easyJet, as these could be fake emails that link to cloned websites designed to steal your data.”
He recommended updating the password for any easyJet accounts, plus updating the passwords on any other accounts that use the same password.
EasyJet flights have largely been grounded since the coronavirus pandemic resulted in travel restrictions being imposed around the globe.
It’s not the first time an airline has suffered a serious cyber attack. In 2018, British Airways had the credit card details of hundreds of thousands of its customers stolen by hackers, prompting a record £183m fine, while Delta and Cathay Pacific were both targeted the same year.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies