EasyJet data breach

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

EasyJet data breach: what happened and what it means

In January 2020, EasyJet said its computer systems were hit by a cyberattack. The breach affected about nine million customers’ email addresses. For 2,208 people, credit card details were accessed, including the card security code. Flight booking data from October 17, 2019 to March 4, 2020 was also affected.

EasyJet described the attack as highly sophisticated. It took time to understand the full scope and to identify who had been affected and what information was accessed. The company said there is no evidence that passport details were accessed, and that the intrusion appeared to focus on company intellectual property rather than directly on personal data.

Public notice and response: EasyJet revealed the breach in May 2020. The company told the BBC that they could only inform customers once the investigation progressed enough to determine who had been affected and what information was involved. They notified people with stolen card details in April and planned to inform all customers by May 26, 2020. Because phishing attacks were rising during the COVID-19 pandemic, EasyJet urged customers with email addresses exposed in the breach to be extra vigilant.

Regulatory oversight: The breach prompted an investigation by the UK Information Commissioner’s Office (ICO), which oversees data protection. In August 2023, the ICO said the investigation had been deprioritized. Passport data were not accessed during the incident.