News & Resources

EasyJet data breach – 9 million customers personal details stolen

  • Posted on

On 19th May 2020, EasyJet confirmed that it had been the target of a “highly sophisticated cyber-attack”. EasyJet’s customer database was hacked in the attack, with the details of nine million customers potentially exposed to cybercriminals.

While EasyJet said it took immediate steps to respond to and manage the breach, the company admitted it first became aware of the attack in January this year. This means there was a delay of around four months between the time EasyJet knew about the attack and the time it made this information public.

An EasyJet spokesperson told the BBC:

This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.

We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.

The breach affects customers who booked flights from 17 October 2019 to 4 March 2020. Following guidance from the Information Commissioner’s Office (ICO), EasyJet has taken steps to alert all affected customers.

EasyJet said it would notify all affected customers by 26 May, but this means customers’ data has potentially been in the hands of cybercriminals for months, putting those customers at serious risk of identify fraud and other criminal activity. EasyJet has confirmed that 2,208 customers have had their credit and debit card details exposed since the hack.

The airline confirmed that it had reported itself to UK data protection regulator the Information Commissioner’s Office (ICO). The ICO said:

People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.

If the ICO finds that the breach was made possible by poor security processes at EasyJet, the company is likely to face a serious fine. EasyJet customers whose data was exposed in the hack are also likely to have grounds to claim compensation from the airline.

The customer information included in the EasyJet data breach includes:

  • Financial data (including CVV numbers)
  • Email addresses
  • Travel information*

*Details customers share when booking a flight or holiday, such as their name, email address, origin airport, destination and departure date.

EasyJet initially claimed that “there is no evidence that any personal information of any nature has been misused”.

However, information from Action Fraud (the UK’s national reporting centre for fraud and cybercrime) shows that, as of May 2020, there were 51 reports of fraudulent activity made in relation to the EasyJet data breach. These reports involved customers losing a total of £11,752.81, with one customer losing £2,750.

Our expertise with data breaches

Hayes Connor is home to one of the largest team of data breach claims specialists in the country. With a wealth of experience and an excellent track record of success, we can guide clients through dealing with any situation where personal data has been lost, stolen or otherwise exposed.

If your data has been exposed or potentially exposed in a data breach, you can take a look at our guide to what to do if your data has been stolen in a data breach.

You can find out more about our expertise and how we handle data breach claims here.

To see how we can help with a data breach, you can use our online claim form or speak to a member of our team by calling 0151 363 5895.

Contact us