London - EasyJet waited three months before telling almost 10 million customers their personal details had been stolen by hackers, it emerged on Tuesday.
More than 2 200 credit card details were accessed and 9.8 million names, email addresses and travel details taken in the ‘highly-sophisticated’ data breach.
The cyber attack – one of the largest to hit a British company – targeted flight and holiday bookings made between the middle of October last year and the beginning of March.
The airline first became aware of it in late January but was not able to stop the hackers until March, and only started contacting victims last month. EasyJet said the delay was caused by the need to investigate the breach thoroughly.
A spokesperson said: "This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.
"We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed."
EasyJet added that there is no evidence the stolen personal information has been misused and no passport details were taken. Customers who had their credit card details accessed were notified last month and those who have had names, emails and travel details stolen will be told within a week.
It is understood the breach affects the person who made the booking rather than co-travellers. It includes bookings made on the airline’s website and app. EasyJet went public with the breach yesterday after a recommendation from the Information Commissioner’s Office.
The data watchdog is concerned about a rise in online scams during the coronavirus crisis and has said all affected EasyJet customers should be made aware as a precaution.
Jake Moore, of cyber security firm ESET, said: "This does highlight the need for extra vigilance among the rapid increase of inevitable phishing emails."
Many cyber criminals will now jump into the wake of the initial attack and purport to be from EasyJet enticing customers to hand over further details such as passwords or other personal data.
The attack means EasyJet is facing a multi-million pound fine from the ICO at a time when the pandemic has already put it under severe financial pressure. It has grounded the vast majority of its fleet due to the current global travel restrictions and has plans in place to suspend flights until the end of the year if necessary.
The ICO announced last year that it intends to fine British Airways a record £183-million after the data of more than 500 000 passengers was compromised in a hacking incident. But it included a significantly larger number of stolen credit card details. EasyJet boss Johan Lundgren said: "We would like to apologise to those customers who have been affected."