EasyJet cyber attack was ‘work of Chinese hackers’

A group of Chinese hackers is thought to have been behind a cyber attack on easyJet, during which the travel plans and email address of nine million of its customers were stolen.

The hackers were also able to steal the credit card details of 2, 208 customers.

EasyJet said the attack in January came from ‘a highly sophisticated source’ and, according to news organisation Reuters, the hacking tools and techniques used point to a group of suspected Chinese hackers thought to be behind multiple attacks on airlines in recent months.

Quoting two people with knowledge of the investigation, who did not wish to be named, Reuters said the attack appeared to be part of a series by suspected Chinese hackers aimed at the bulk theft of travel records and other data.

EasyJet has not publicly released any further details of the attack, but it said it had begun contacting customers who were affected back in April.

It says those whose credit card details were stolen have already been informed and offered advice by the airline. EasyJet says it will contact customers whose travel plans and email addresses were hacked by May 26.

The airline claims passport details were not stolen.

 "As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue.  We also notified the National Cyber Security Centre and the ICO (Information Commissioner’s Office). We have closed off this unauthorised access," it said

"These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed."

EasyJet said it revealed the attack yesterday because it said it wanted to make the wider public aware of the possibility of email phishing scams. It did not say why he hadn’t informed customers as soon as it discovered the data breach in January.

"We take issues of security extremely seriously and continue to invest to further enhance our security environment," it said.

There is no evidence that any personal information of any nature has been misused, said easyJet, however, it said that it was advising customers of protective steps to minimise any risk of potential phishing.  

"We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications," added easyJet. "We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.

"We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously."

EasyJet CEO Johan Lundgren said: "We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.

"Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.  As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.

"Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.

"We would like to apologise to those customers who have been affected by this incident."

However, Joseph Carson, chief security scientist at Thycotic, questioned why easyJet has yet to inform all customers of the breach. 

"The notice of the security incident includes the common terms such as a highly sophisticated source, though this all too often turns out to be overstated and until a proper digital forensics investigation is completed, such statements tend to attempt to downplay responsibility," said Carson.

"The statement includes that robust security measures are in place but as always, it only takes one click on a malicious email, a stolen credential or a misconfigured database that allows criminal attackers access to company’s networks.  

"The main concern is it appears that not all customers have been notified yet which means between now and proper notifications, it is highly likely that their data could be abused unknowingly. This type of notification will also likely mean a large flood of inbound customer support calls that could overwhelm EasyJet’s already stretched support team. 

"The notice of the security incident could do with improvements but at least it is a good start and easyJet do appear to be following an Incident Response plan.  Any sensitive data should be always protected with strong encryption, multifactor authentication and strong privileged access security or reduce the risks from unauthorized access."