The 2020 EasyJet data breach was the second attack on a major European airline in less than two years.
In 2018, British Airways suffered a similar data breach where cybercriminals managed to steal data of 420,000 customers—380,000 of which contained credit card details.
The EasyJet data breach affected approximately nine million customers, but only 2,208 had credit card information stolen, including the CVV numbers.
Don't let what happened to British Airways happen to you by trying our free trial.
What was the Fallout from the British Airways Data Breach
It's important to understand the fallout of the British Airways data breach to predict what could happen to EasyJet in the next 18 months (as of August 2021).
The UK's Information Commissioner's Office (ICO) fined £27.7 million (reduced from the initial £183 million) for failing to protect its customer's data. Previous to the British Airways incident, the ICO's biggest fine was to Facebook for £500,000 in connection with the infamous Cambridge Analytica scandal.
The cost to British Airways' customers was minimal, with only one report of someone trying to use one of the stolen cards to purchase goods by phone at Harrods. Fortunately, the bank rejected the transaction.
Major Class-Action Lawsuit Against British Airways
In addition to the ICO fine, law firm PGMBM filed a class-action lawsuit on behalf of 16,000 victims for £800 million. The parties eventually reached an undisclosed out-of-court settlement in July 2021.
Class-action lawsuits are rare in the United Kingdom, so this settlement is significant and should serve as a wake-up call to the UK and EU-based companies.
What Happened at the EasyJet Data Breach?
EasyJet remains tight-lipped about what happened in 2020 but said in a statement that this was a "highly sophisticated cyber-attack." The breach affected customers who booked EasyJet flights between October 17, 2019, and March 4, 2020.
EasyJet was alerted to a breach in January 2020 but only went public about the incident in May while conducting investigations. EasyJet announced that the breach compromised nine million customers, including 2,208 credit card details with CVV numbers.
In a statement from EasyJet Chief Executive Officer Johan Lundgren, he said, "There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimize any risk of potential phishing..."
It's somewhat irresponsible and presumptive for EasyJet to make such a statement. There is no way to determine where these details have ended up or who is responsible for the attack.
However, EasyJet did warn customers to be vigilant when opening any correspondence from the airline, be it text or email. The stolen information allows criminals to conduct phishing scams and other cybercrimes.
Credit Card Fraud due to EasyJet Data Breach
According to the UK cybercrime reporting agency Action Fraud, Johan Lundgren's statement is incorrect. By May 2020, there were 51 reports of credit card fraud resulting from the EasyJet data breach.
The estimated loss to credit card holders stands at £11,752.81, including one customer losing £2,750 shortly after the EasyJet attack.
The Fallout from the 2020 EasyJet Data Breach
EasyJet's fate is still to be determined. The ICO is conducting its investigation into the matter and, judging by what happened to British Airways, EasyJet will likely receive a fine.
GDPR states that companies who fail to store personal details securely could face fines from the ICO of 4% of the airline's 2019 turnover of £6,3 billion.
EasyJet Class-Action Lawsuit
To rub salt in the wounds, law firm PGMBM (the same law firm behind the British Airways class-action) plans to file an £18 billion class-action lawsuit against EasyJet.
EasyJet's biggest mistake in this matter was waiting four months to go public with the breach, which could have prevented financial losses.
When filing the suit, PGMBM stated, "The sensitive personal data leaked includes full names, email addresses, and travel data that included departure dates, arrival dates, and booking dates. In particular, the exposure of details of individuals' personal travel patterns may pose security risks to individuals and is a gross invasion of privacy."
Under GDPR regulations, customers have the right to compensation when their information is stolen during a breach. Furthermore, EasyJet waiting four months to tell customers about the breach might appear reckless to the courts.
How did Hackers Breach EasyJet's Systems?
EasyJet has not released any details of how hackers infiltrated their systems. But, in an interview with the BBC, EasyJet stated, "This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted..."
EasyJet claims it went public to protect the nine million customers who could be in danger of various cyber crimes, especially phishing attacks using spoofed EasyJet communications.
According to EasyJet, hackers were after the airline's intellectual property rather than customer data, alluding to the possibility of government or corporate espionage. If that is the case, the EasyJet breach is significantly more disturbing than your average data breach.
Don't let hackers breach your systems with a 14 day free trial with TeamPassword.
Potential Risks to EasyJet Customers
Even if the EasyJet attack is some form of espionage, there's no stopping the attackers from selling the customer data on the black market. Some of the nine million customers are likely business email addresses, which cybercriminals can use in future corporate attacks.
The primary concern for EasyJet customers is phishing attacks. Cybercriminals might attempt to communicate with victims through spoofed EasyJet communications, including email, SMS, or voice calls.
This communication could be as mundane as an email advertising EasyJet's latest travel packages with an offer that's too good to refuse. The links from the email will take the victim to a spoofed EasyJet website with fake flights and travel packages.
If a victim purchases any of these fake flights or packages, the website will capture their credit card details for criminals to use or sell on the dark web.
Criminals may also contact EasyJet customers to offer refunds, requesting credit card information to "verify their payment information to process the refund."
Criminals might send out similar EasyJet correspondence to install malware or a virus on a victim's device. With the malware installed, criminals can monitor your device, record keystrokes, activate your camera or microphone, and access sensitive information.
You can accidentally install malware without knowing, simply by clicking a link. This link might arrive as a text or email for EasyJet customers, appearing to come from the airline, increasing the likelihood of someone clicking it by mistake.
Credential Stuffing Attacks
Criminals often use credentials stolen during a data breach to access websites or applications where users might have an account. Using automation and a process of elimination, cybercriminals send out bots to test a user's email and password against thousands of websites and applications.
A recent example of a credential stuffing attack was Nintendo's Data Breach in 2021, where hackers accessed 300,000 Nintendo Switch accounts.
How to Prevent a Data Breach at Your Company
While we don't know the exact reason for the EasyJet data breach, there are several ways hackers can infiltrate an organization. Most breaches involve the theft of employee login credentials which criminals use to access a company's internal systems.
Using a password manager like TeamPassword is an effective way to monitor access and prevent unauthorized credential sharing. TeamPassword is an affordable solution that uses state-of-the-art encryption technology for businesses of all sizes to share and manage passwords safely.
What is TeamPassword?
TeamPassword is a password manager for companies to share login credentials with team members. Rather than share raw login credentials, you provide each team member with a TeamPassword account.
Instead of entering a password, team members use TeamPassword to log into an account—social media accounts, accounting software, development and marketing tools, content management systems, and more.
Built for Teams
Our customers love how safe and easy it is to share passwords with employees, contractors, and freelancers. With TeamPassword, you can create groups to provide access only to those who need it.
For example, if you're managing social media for a client, you can create a group in TeamPassword and add your social media team to that group. You can remove team members with just one click!
Multiple Browser Extensions
TeamPassword features browser extensions for Chrome, Firefox, and Safari, so team members will always have account access with their preferred device.
To gain access, a user navigates to the website or application they want to access, clicks the TeamPassword browser extension, and selects the relevant login credentials.
Secure Password Generator
TeamPassword's built-in password generator lets you create robust passwords with just one click. To ensure every password is unique and secure, you can generate 12-32 character passwords with uppercase, lowercase, symbols, and numbers.
When you update a password, TeamPassword automatically updates the new credentials for all team members.
Two-Factor Authentication (2FA)
In the unlikely event that a team member's password is stolen or they lose their device, 2FA acts as a second line of defense. TeamPassword uses Google Authenticator, which is available for iOS and Android devices.
Activity Log & Notifications
An activity log lets managers monitor just about any action in TeamPassword, including logins, sharing, password updates, and more. You can also set up email notifications for sensitive accounts so you can stay on top of unauthorized access and sharing.
Explore TeamPassword's features with a 14-day free trial and take control of your password management today!