EasyJet admits data breach affecting 9 million customers

Low-cost airline EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers. Email addresses and itineraries were stolen and that 2,208 customers had also had their credit card details “accessed”.

It is thought the attackers had access to the data of customers who booked flights from 17 October to 4 March last year; this was the date of booking, not the date of travel.

The airline became aware of the data breach at the end of January but only admitted the breach yesterday.

A spokesperson said: “This was a sophisticated attacker and it took time to understand what information may have been accessed and to make sure they could not come back into the systems.

“As soon as we discovered it, we started an investigation and have closed off this unauthorised access.”

Two people with knowledge of the investigation, who spoke to Reuters on condition of anonymity, claimed the cyber-attack appeared to be part of a series of attacks by suspected Chinese hackers aimed at the bulk theft of travel records and other data.

Stolen data

Stolen credit card data included the three digital security code – known as the CVV number – on the back of the card itself.

The British budget airline said that all affected customers will be contacted in the next few days and that there was “no evidence” that the personal information has been misused.

EasyJet said it had informed the Information Commissioner’s Office (ICO) and the National Cyber Security Centre of the breach. They said they were only able to notify customers whose credit card details were stolen in early April and that they had gone public now in order to warn the nine million customers whose email addresses had been stolen to be wary of phishing attacks. Everyone affected would be contacted by 26 May.

They believe the hackers were targeting “company intellectual property” rather than information that could be used in identity theft.

The Spokesperson added: “There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.

“We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays.”

Personal Information

A spokesperson for the ICO said: “People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”

EasyJet, like the rest of the aviation industry, has been hit hard by the COVID-19 pandemic, which has put business and holiday travel on hold.

The company has also furloughed thousands of staff and borrowed £600million of taxpayer money under a government bailout scheme. 

EasyJet chief executive Johan Lundgren said in a statement: ‘Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. 

‘As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.’ 

An NCSC spokesman said: ‘We are aware of this incident and have been working with EasyJet from the outset to understand how it has affected people in the UK.

‘The NCSC would recommend anybody with accounts that could have been compromised to be especially vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information.’ 

British Airways was hit in 2018 with the theft of credit card details of hundreds of thousands of customers, while Cathay Pacific Airways was also hit. 

Data Protection

This latest data breach shows once again that however challenging situation are, businesses should not take their eye off the ball and data protection must remain one of their top priorities. Many organisations, especially airlines, have been hugely impacted by coronavirus and are trying to survive and remain operational. It is important to remain focused and make sure that appropriate measures are put in place to ensure that robust data protection measures are in place.

People who think their details have been compromised should revise their data security to minimise any risk of potential phishing. This includes checking computer malware and making sure they have secure passwords. There is a risk that phishing emails that leverage data stolen during the attack could be used as an attack vector at any point in the future.


iCaaS software does all the hard work of achieving compliance and ultimately minimises the risk of data breaches. By securing your business, the iCaaS platform will save you time and money. More importantly it will secure your staff and help to build confidence and trust within your customer base.

The iCaaS data protection training course is accessible through your browser and takes on average, just 30 minutes to complete and is designed to be intuitive and easy to use.

iCaaS is the Trusted Standard in Data Protection. Get in touch, speak to a specialist today. Call 0345 646 0066 and visit: www.myicaas.com


Scroll to Top