U.K. low-cost airline EasyJet plc has been hacked and the details of some 9 million customers were stolen.

The details came from the airline, which disclosed the hack following discussions with the U.K. Information Commissioner’s Office.

In its notice of a cybersecurity incident issued today, easyJet described the hack as an attack from a highly sophisticated source and said the email addresses and travel details of about 9 million customers had been accessed. In addition, the credit card details of 2,208 customers were stolen.

Along with working with law enforcement, easyJet said it had already contacted customers who had credit card details stolen and was in the process of contact the rest of the customers affected. The company added that although it had no evidence that the stolen information had been misused in any way, it was also advising customers of protective steps to minimize the risk of potential phishing.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams,” easyJet Chief Executive Officer Johan Lundgren said in a statement. “As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

Although dates are lacking in the disclosure, the BBC reported that easyJet first became aware of the attack in January and notified customers who had their credit card details stolen in early April. The same BBC report added that the credit card data stolen included the CVV number on the back of the stolen credit cards as well, giving those behind the hack the full ability to use the stolen card data.

The form of the cyberattack was not disclosed.

“EasyJet customers are now at greater risk of phishing scams following this cyberattack and people need to be wary of emails they receive purporting to come from the airline company,” Tim Sadler, chief executive officer and co-founder of human layer security firm Tessian Ltd., told SiliconANGLE. “Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website.”

Discussing the security aspect, Matt Middleton-Leal, general manager and chief security strategist, data security company Netwrix Corp. said it’s clear that easyJet didn’t have appropriate control over its data and may lose customer confidence as a result.

“As the travel industry weathers the COVID-19 storm, it is imperative that airlines maintain the trust of loyal customers and new potential travelers, especially as communication with customers still remains solely virtual,” Middleton-Leal said. “Despite airlines currently well below flying capacity, and the majority of aircraft grounded, security for the travel industry must still be paramount, especially with the ‘cyber-pandemic’ rising alongside the COVID-19 disease. COVID-related phishing attacks have been on the rise, with people falling victim more often during this period.”

Anurag Kahol, chief technology officer at cloud security firm Bitglass Inc., noted that even if it’s not clear yet how the hackers infiltrated easyJet’s systems, the company’s description of a “highly sophisticated” attack shows that cybercriminals are constantly advancing their attack methods. “As such, companies must have full visibility and control over their data by implementing tools that detect and remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” he said.

Photo: Dotonegroup/Wikimedia Commons