On Tuesday, budget airline EasyJet revealed they experienced a cyber-attack that exposed 9m customer details.
Airline brand Easyjet should have been gearing up for the busy summer season ahead. Last year alone, the company flew 96.1m passengers across the globe, keeping to their ethos of finding new and affordable ways to travel.
However, the ongoing coronavirus pandemic (that has forced the company to cancel a multitude of flights) has this week revealed an unfortunate cyberattack which exposed the details of 9m of their customers. Following this event, it’s likely that the cheap and cheerful airline will have a difficult year ahead.
The background
On Tuesday 19th of May, the company announced that email addresses and travel details were accessed by an unwarranted source. Out of the 9m customers affected, 2,208 had credit card details stolen, easyJet told the stock market. However, no passport details were uncovered.
EasyJet were hesitant to give details of how the breach occurred but said it had “closed off the unauthorised access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator.
Those customers whose credit card details were taken have been contacted, while everyone else affected to be contacted by 26 May.
“However this breach has been manufactured, it’s clear that the aviation industry is experiencing something of a perfect storm as operators’ resources are stretched, even prior to Covid-19, and cyber groups have become increasingly active in recent weeks,” comments Andy Barratt, UK managing director at global cybersecurity consultancy Coalfire,
“Airlines, and the wider travel sector, are consistently targeted by cybercriminals due to a large amount of digital transactions, credit and information sharing needed to ensure the industry operates smoothly. Notably, the direct-to-consumer booking models used by budget operators circumvent some of this but mean that there is little room for them to outsource risk when it comes to cybersecurity, as EasyJet will no doubt now be aware,” he continues.
Scared of a cyber attack?
EasyJet was not the first major airline to face a catastrophic cybercrime. In 2018, almost 400,000 British Airways customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. And it was a fate that could have allegedly been avoided.
Poor IT infrastructure on the airline’s website was supposedly the reason for the hacker groups easy access to customer information. The main failing being vulnerability in third-party Javascript used on the website.
This may have just been a slip-up on the BA tech teams’ part, but the company did not just receive a slap on the wrist for poor practice, the airline was forced to pay a staggering £183m penalty by the ICO.Take off: BA was forced to pay a £183m fine for data breeches in 2018.
As business and office activities move towards a more tech-dominated way of working, it is crucial that employers are versed in cybersecurity best practise.
Real Business reached out to managing security consultant Colin Robbins at UK based cybersecurity companyNexorto provide some key tips;
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
