Breach Notification , Cybercrime , Forensics
EasyJet Data Breach Exposes 9 Million Customers' Details
European Budget Airline Says Payment Card Data Stolen, But Only for 2,200 CustomersEuropean budget airline EasyJet says it suffered a data breach that exposed 9 million customers' personal details.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
"Our investigation found that the email address and travel details of approximately 9 million customers were accessed," according to a notice of cybersecurity incident issued Tuesday by EasyJet, which is based at London Luton Airport, located 28 miles north of central London.
Affected customers will be contacted by May 26, EasyJet adds. "If you are not contacted then your information has not been accessed."
At the beginning of the year, EasyJet served 156 airports in 33 countries. But the airline grounded the majority of its fleet on March 24 due to countries' COVID-19 lockdowns and travel restrictions.
EasyJet says that email addresses and travel itineraries - but no passport information - were exposed in the breach. As part of its ongoing digital forensic investigation, the airline has also found that for a small number of customers - just 2,208 - payment card details were also "accessed" by attackers. "Action has already been taken to contact all of these customers and they have been offered support," it says.
The airline has yet to specify how attackers accessed its systems, when the data breach began, how long it lasted or when it was first detected. But the BBC reports that the breach began in January and that customers whose payment card data was accessed were notified in April.
EasyJet customer Samantha Burt, for one, received an alert from the airline on April 2 saying that her credit card information - including expiration date and CVV - was exposed.
Can I have some advice to my rights on this, I’ve had zero support from EasyJet apart from demanding my balance next week from an account that has now been hacked, I have requested cancel through a contact form over 60 days, no response. What do I do? pic.twitter.com/j6IFz0Uvan
— Samantha Burt (@SamBurt04) April 2, 2020
CEO Issues Apology
"We would like to apologize to those customers who have been affected by this incident," says EasyJet CEO Johan Lundgren. "We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers' personal information."
EasyJet says the notification to customers has been done on the advice of the U.K. Information Commissioner's Office, in part because of heightened worries about phishing scams with a pandemic theme (see: Fresh Twist for Pandemic-Related Phishing Campaigns).
"Owing to COVID-19, there is heightened concern about personal data being used for online scams," Lundgren says. "As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications."
The company says customers should be especially "cautious of any communications purporting to come from EasyJet or EasyJet Holidays."
EU Breach-Notification Rules
Under the EU's General Data Protection Regulation, enforced in the U.K. by the ICO, organizations must inform authorities within 72 hours of discovering a breach that involves people's personal information.
Similar rules are in effect too for the EU's Security of Network & Information Systems Regulations, aka NIS, which applies to essential services, including the transportation sector. The NIS requires covered organizations to notify their local regulatory authority - in the U.K., that's the ICO - "of any incident that has a substantial impact on the provision of your services."
The U.K. Civil Aviation Authority also has oversight of the NIS regulations - together with the government's Department for Transport - as they apply to the aviation sector.
All pertinent information that must be relayed to the regulator - within 72 hours of learning of the incident - may include "the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact," according to the ICO's guide to NIS compliance. The ICO also recommends all organizations filing an NIS incident report simultaneously alert the U.K.'s National Cyber Security Center.
"Major sanctions can be applied for falling foul of the NIS regime," attorney André Bywater, a partner at London-based Cordery, tells Information Security Media Group. But it's not clear yet if NIS might apply or be applicable to this incident. One factor might be whether or not the breach has had "a significant disruptive effect on the provision of so-called ‘essential services,’" which he says "is a very technically complex term." For comparison's sake, he also notes that the 2018 British Airways data breach, which the ICO is investigating, does not appear to have involved NIS.
String of Airline Breaches
EasyJet's breach alert follows other major airlines disclosing data breaches that led to the ICO enforcing fines for poor security practices.
In October 2018, Hong Kong-based Cathay Pacific Airways warned customers that it had suffered a four-year data breach that exposed personal information for more than 9 million passengers and customers, including 111,000 British citizens. In March, the ICO imposed a £500,000 ($612,000) fine against the airline, which was the maximum allowed for the incident, which occurred before GDPR and the potential for much greater fines came into effect (see: Cathay Pacific Airlines Fined Over Data Breach).
In July 2019, the ICO published a notice of intent that it planned to impose a record-setting £184 million ($225 million) fine on British Airways after it suffered a September 2018 data breach that rerouted customers to a fraudulent site designed to steal their payment card data. The airline says about 500,000 customers were affected (see: British Airways Faces Record-Setting GDPR Fine).
A final fine against BA, however, has yet to be set, and has been delayed multiple times due to the ongoing COVID-19 pandemic and the ICO saying it was slowing the pace of its enforcement efforts. Information Commissioner Elizabeth Denham has also said that the amount of the final fine might be lower, due to the extreme financial pressure now facing airlines (see: GDPR and COVID-19: Privacy Regulator Promises 'Flexibility').
Unanswered Breach Questions
With at least three big airlines having disclosed major breaches in recent years that included U.K. victims, one pertinent question is whether airlines are more prone to suffering data breaches.
"It does seem that airlines have more than their fair share of reported data breaches - for example, the ICO investigations into Cathay Pacific and BA,” attorney Jonathan Armstrong, a partner at Cordery, tells ISMG. "I wonder if they do in fact suffer more breaches or if the reporting culture in airlines, coupled with NIS and the need to report, in addition, sometimes to airline authorities, makes them just more open about reporting breaches."
Cue this rhetorical question from Armstrong: "Are they more vulnerable to breaches, or just more honest?”