Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline.
As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet about the hack until mid-May, though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack.
Today emails from the company began arriving with customers. One seen by The Register read:
Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020. Your passport and credit card details were not accessed, however information including where you were travelling from and to, your departure date, booking reference number, the booking date and the value of the booking were accessed.
We are very sorry this has happened.
It also warned victims to be on their guard against phishing attacks by miscreants using the stolen records, especially if any “unsolicited communications” arrived appearing to be from Easyjet or its package holidays arm.
Perhaps to avoid spam filters triggered by too many links, the message mentioned, but did not link to, a blog post from the Information Commissioner’s Office titled, “Stay one step ahead of the scammers,” as well as one from the National Cyber Security Centre, published last year, headed: “Phishing attacks: dealing with suspicious emails and messages.”
There was no mention in the message to customers of compensation being paid as a result of the hack. Neither, when El Reg asked earlier this week, did Easyjet address the question of compo or credit monitoring services.
More woes, as Easyjet founder flounders
Separately, an Easyjet company general meeting held this morning to sack its CEO and key execs ended with company founder Stelios Haji-Ioannou being outvoted by his shareholders.
UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt
Stelios wanted to replace them with people who would cancel a £4.5bn order for new Airbus aircraft, which he says is unnecessary spending at a critical moment. No new details about the hack were mentioned in news reports of the meeting.
Stelios did not take news of his loss well, issuing a statement [PDF] accusing Easyjet and Airbus of “voting fraud,” threatening to sue the Daily Telegraph for pouring scorn on his anti-Airbus campaign, and branding Airbus itself “the scoundrels”.
The Guardian reported Easyjet finance chief John Barton as saying: “The company has no right to unilaterally terminate the contract [with Airbus].
“The one-off costs associated with termination would be very material and taken with the future value of contract, termination would be hugely detrimental and seriously impact the company’s ability to operate as a low-cost airline.”
Easyjet’s fleet has an average age, according to a planespotters’ website, of just over eight years – relatively young in aviation terms – though some of its longest-serving aircraft are more than 15 years old. ®