EasyJet data breach

The EasyJet data breach was a cyberattack on the computer systems of British airline EasyJet.

Discovery
EasyJet first learned of the cyberattack at the end of January 2020. Approximately nine million people were affected with the credit card details of 2,208 also accessed. EasyJet notified the Information Commissioner's Office while they were investigating the breach.

Public admission
EasyJet publicly revealed the attack in May 2020. They told the BBC that they were only able to notify customers whose details (credit card or email addresses) were stolen in April 2020. EasyJet told BBC "This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted". They also said "We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed".

The affected data covers flight bookings made from 17 October 2019 to 4 March 2020.

The stolen credit card details include the card security code.

EasyJet said they had gone public to notify the nine million customers whose email addresses had been accessed to beware of phishing attacks and that it would notify everybody by 26 May. Passengers whose credit card details were accessed were notified in April. They did not reveal details of the attack but said it seemed to be aimed at "company intellectual property" rather than information that could be used in identity theft.

EasyJet was not obliged to notify passengers whose basic booking details were compromised but they announced the details because of an increase in phishing attacks during the COVID-19 pandemic. Passport details were not accessed.

The Information Commissioner's Office said they were investigating. The ICO said "People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary".

GDPR requires companies to store personal details securely and EasyJet could face fines from the ICO of 4% of the airlines' turnover in 2019.