EasyJet data breach: 9 million customers affected

British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.

The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.

How did the attackers manage to breach EasyJet?

EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.

They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.

Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.

“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.

“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”

Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:

If this is same hack as announced to Stock Exchange today then it strongly suggests Magecart as it appears it have CVV etc in the haul. Well spotted from @GossiTheDog https://t.co/1KfmdBWbnF

— Alan Woodward (@ProfWoodward) May 19, 2020

It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.

Advice for affected customers

“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.

“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.

Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.

“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.

“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”

The UK National Cyber Security Centre (NCSC) has advised affected customers to:

• Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
• Change their password on their EasyJet accounts (and other accounts that have the same password)
• Check if their account has appeared in any other public data breaches, and to
• Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.