easyJet has made this announcement:
Cybersecurity industry experts commented:
Mark Bower, senior vice president, comforte AG:
“The aviation industry is struggling at present given the current pandemic, so seeing another major airline succumb to a data breach is not pleasant. On first glance, EasyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.
Airlines and the GDS booking platforms that support them contain huge amounts of regulated PII in passenger data that’s potentially at risk. Organizations that process PII data need to take a serious approach to data-centric security. There are proven methods available which can reduce the impact of such data breaches. Tokenization is a great example. With such an approach, all sensitive data elements get replaced by tokens. That means that in the case of a data breach, the data is worthless for attackers. Furthermore, as it is the data elements themselves that are protected, security travels with the data. No matter if it is processed and stored within the company network, or whether it moves outside the perimeter. Too often we see organization only secure what is mandated – like credit card data, leaving PII exposed at scale. If the full spectrum of personal data isn’t protected as required by modern privacy laws, businesses must realize that it is their brand and reputation that will be negatively affected.”
Brian Higgins, security specialist, Comparitech:
“Attacks like this have enormous, knock-on effects for the victims. Once the attack is made public criminal organizations will immediately seek to take full advantage of the fear and uncertainty the 9 million customers of EasyJet are currently feeling and begin campaigns to exploit them.
They will email, call on the telephone or in person, make contact via social media channels. In fact they will use any and all methods to make contact, pretend to be EasyJet and use that fear and uncertainty to make people reveal more of their personal information, login credentials, bank details etc. in order to commit more crime. Any and all unsolicited contact from EasyJet should be ignored, however difficult that may be. Check their official website or contact the Office of the Information Commissioner for advice. Never engage with any other offers of help. They will almost certainly cause you more harm.
A company the size of EasyJet should have a comprehensive incident response plan to deal with this attack. The coming days will show us if that is the case, although how they can assure their customers that ‘there is no evidence that any personal information of any nature has been misused’ shows a worrying naivety. This is the golden hour for cyber criminals. EasyJet customers have one line of defense right now: ignore them.”