On May 19th 2020, EasyJet revealed they had been the target of a sophisticated cyber breach back in January, affecting around 9 million customers. This subsequently compromised personal details including sensitive information like itineraries, 2,208 bank details and even CVV data.
EasyJet are not the first big organisation to be hit by a cyber-attack this year though with both Boots and Tesco reporting breaches back in March. Yet the EasyJet breach is certainly one of the biggest high-profile cyber attacks to have been reported and they are facing huge backlash as a result.
HOW DID IT HAPPEN?
EasyJet are yet to release information regarding how the breach happened. Instead, they claim the attack was extremely sophisticated and suggested hackers were targeting “company intellectual property” rather than information that could be used maliciously.
Steve Shields, Professional Services Director at PCS and cyber security enthusiast said, “Although they’ve not revealed the cause just yet, an educated guess on how this could have happened would be enhanced user privileges because of the current Covid-19 situation. This would allow a ‘basic user’ to see more data or have more rights than they would normally be allowed.”
“The odd thing is the mention of the 2,208 credit card details including the CVV that have been compromised. EasyJet shouldn’t be storing bank CVV details at all really. This makes me suspect that the attack was perhaps a Magecart-style skimming attack which grabbed the payment details and other personal information from EasyJet customers as they booked flights on the airline’s website.”
A Magecart-style skimming attack is when hackers implant malicious code onto websites to steal card information as people enter their credentials, usually on the checkout page. This is the website equivalent of a strip placed by criminals on ATM machines. This type of attack would mean the criminals could:
- Gain access to EasyJet’s website and insert the malicious code.
- Skim or copy data as it is entered usually checkout page.
- Send skimmed details to the hacker’s server for later use.
COULD THIS HAVE BEEN AVOIDED?
In reality – probably. EasyJet should have had robust technology in place to support their GDPR requirements. As with any technology within your business, this requires constant housework to ensure systems are as up to date as possible. Doing this is essential to avoiding breaches like the one EasyJet have experienced.
This includes the process of ensuring all users and their rights are audited at regular intervals, staff training to spot when things seem irregular and ensuring all website code is audited including code from third party vendors.
Claim your free copy of the 2020 Cyber Security Outlook Report
WHY ARE WE ONLY HEARING ABOUT IT NOW?
EasyJet confirmed that whilst the breach occurred in January, they needed time to check the effects of the data breach and who had been impacted. They withheld informing customers until they had fully investigated the attack internally but notified the Information Commissioner’s Office (ICO) immediately.
“This was a highly sophisticated attacker. It took us some time to understand the scope of the attack and to identify who had been impacted,” said a spokesperson at the airline.
“We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”
In April, the budget airline notified the 2,208 customers they identified as having credit card details compromised and offered them support including a dedicated helpline and monitoring. Since then, and following guidance from the ICO, they have notified other customers that had their email addresses stolen because of this attack, especially given the phenomenal increase in phishing emails since the outbreak of the Covid-19 pandemic.
They have indicated that all those affected were made aware by May 26th 2020 and have asked customers to remain vigilant in response.
As with all cyber breaches, the ICO will be involved in the investigation and they will not fail to come down hard on the airline for failing to protect customer’s data in line with GDPR.
Last year, British Airways faced a “notice of intent” filed by the ICO which fined the airline £183.4 million for failing to protect the data of 500,000 customers because of a data breach they experienced during 2018.
They are likely to do the same thing with EasyJet, but it’s thought the outcome will cost much more, with a reported £18 billion pound lawsuit being filed against them as we speak.
As well as the cost of a heavy fine to the business, EasyJet’s reputation is hanging by a thread and future business will be impacted.
They rely heavily on the e-commerce side of their transactions and this breach puts a question mark on consumer trust and credibility going forward.
There is also likely to be a spike in phishing attacks, with criminals looking to exploit the situation and customer’s vulnerability.
It would be quite easy for cyber criminals to craft a very plausible email that could con an unsuspecting EasyJet customer into clicking a malicious link or entering sensitive details.
WHAT TO DO IF YOU’VE BEEN AFFECTED?
EasyJet are contacting all customers directly to advise them of the data breach. While they claim there is no evidence to suggest financial loss thus far or misuse of data, you should remain vigilant and act cautiously going forward.
If you think you’ve been affected by this attack, we advise that you should:
1. CHANGE YOUR PASSWORD
Change your EasyJet password immediately and if you think you’ve used that password elsewhere online, change that too. Try using a password manager to generate or store different passwords or install two-factor authentication.
2. REGULARLY CHECK CREDIT CARD STATEMENTS
Spotting fraud early is key to avoiding huge financial loss. Check your recent transactions and if you spot anything suspicious or unrecognisable, flag it with your bank
3. BE ON THE LOOKOUT FOR SPOOF EMAILS
Customers should be wary of any communication claiming to be from EasyJet and check the email address carefully, especially if it asks for more personal or financial details. EasyJet say they will never contact you to disclose information without warning.
4. CHECK YOUR CREDIT REPORT
Email addresses coupled with personal details can be used for identity fraud. Check your credit report regularly, paying attention to any hard searches or newly opened accounts you don’t recognise. If you find anything, get in touch with the lender straightaway.
If you receive EasyJet communication requesting personal details and are unsure of its legitimacy, always ring EasyJet directly to confirm. This should be done via the telephone on an EasyJet published telephone number. Do not use any telephone numbers listed in, what could be, the hackers phishing email.
HOW TO AVOID BREACHES LIKE THIS
The EasyJet breach is another example of cyber criminals getting away with valuable information at the expense of others. To avoid this, all businesses must ensure their technology, network and systems are up to date and audited at regular intervals.
Ensure that all systems, technology, and cyber security protection is configured correctly and that you take guidance from experts on the best way to secure your business. Guesswork is not an option.
You should make sure that your internal IT team are informed when a member of staff leaves and that everyone is on the right admin access for their role. It’s very easy and lazy to give everyone the same privileges.
Take time to understand who accesses what and why. All too often a standard user has admin rights because they were tasked with a job that has long since changed.
“This seems like a two-pronged attack that aimed to steal both data and credit card details, and highlights even more, the need for businesses to take cyber security seriously – before it’s too late.”
“Treat emails with suspicion and always use published numbers when calling companies because of an email. Stay vigilant and check bank statements for unrecognised transactions, not just now but for months to come.
“Remember – these people are professionals at doing this and will use any event, no matter how immoral, to take advantage. Just like they’ve done during the Covid-19 pandemic and will continue to do in the future.”
Professional Services Director, Pure Cloud Solutions
We’re always banging the drum about cyber security here at Pure Cloud Solutions, and the EasyJet breach is just another good reason as to why. Cybercrime is on the rise and the criminals behind them are getting better at what they do. This is just one of many businesses to have been affected.
Cybercrime affects all businesses – it’s only a matter of time before it happens to you. Why wait to protect yourself?
mAKE cYBER sECURITY yOUR pRIORITY
Cyber security attacks are up 37% since the Covid-19 outbreak in the UK. Don’t leave your cyber security protection to chance. Speak to PCS and discover the simple measures, technology, and procedures you can put in place to beat the cyber criminals both now and in the future.
Simply call us on 0333 150 6780, email or fill out the contact form below for FREE advice and expert support.