easyJet has revealed it has been the subject of a cyber-attack from a “sophisticated source”.
The low-cost carrier said the email address and travel details of approximately nine million customers were accessed during the breach.
In addition, the credit card details of over 2,000 passengers were accessed.
Action has already been taken to contact all of the latter subset of customers, and they have been offered support, easyJet said.
easyJet chief executive, Johan Lundgren, said: “We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information.
“However, this is an evolving threat as cyber attackers get ever more sophisticated.”
He added: “Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.
“As a result, and on the recommendation of the Information Commissioner’s Office (ICO), we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
There is no evidence that any personal information of any nature has been misused, easyJet said.
However, on the recommendation of the ICO, the carrier said it was communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.
easyJet said it had notified the National Cyber Security Centre, while the breach in security had been closed off.
Commenting on the breach, Jeremy Hendy, chief executive of Skurio, said: “Customers of easyJet should be changing security information for web accounts or app usage immediately as a precaution and monitor their bank account for fraudulent activity.
“They should also be wary of any correspondence they receive by email or text message.
“We have seen previously that criminals use these types of incidents to slip phishing attempts under the radar.
“This is done by recycling contact details from historic breaches and hoping worried customers will let their guard down.