EasyJet says cyberattack exposed data of 9 million customers

Hackers hit the budget European airline, accessing email addresses, travel plans and some credit card details.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read

EasyJet's fleet is currently grounded.

Michael Kappeler/picture alliance via Getty Images

UK budget airline EasyJet reported on Tuesday that hackers accessed the email addresses and travel details of more than 9 million customers in a "highly sophisticated" cyberattack. The hackers also accessed the credit card details of 2,208 customers.

The airline in the coming days will contact customers whose details were exposed in the breach. It has already contacted, and offered support to, those whose credit card information was accessed.

"We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers' personal information," said EasyJet CEO Johan Lundgren in a statement. "However, this is an evolving threat as cyber attackers get ever more sophisticated. ... We would like to apologise to those customers who have been affected by this incident."

As soon as the airline became aware of the attack, it took steps to respond to and manage the incident and engaged forensic experts to investigate the issue, EasyJet said. It also notified the National Cyber Security Centre and the ICO, the UK's data protection watchdog.

"We have a live investigation into the cyber attack involving easyJet," said a spokeswoman for the ICO in a statement. "People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary."

The ICO will be able to examine whether EasyJet should be fined under Europe's General Data Protection Regulation (GDPR), which is part of UK law.

The entirety of the 25-year-old airline's fleet, which operates on international routes all over Europe, is grounded due to the COVID-19 pandemic, meaning the travel plans of many customers will likely be canceled. In spite of this, EasyJet said customers should be on the lookout for phishing scams and be cautious about any communications purporting to come from EasyJet or EasyJet Holidays.

See also: Flights are dirt-cheap. Should you book travel amid coronavirus?

Watch this: Here's how scammers are using the coronavirus to cash in