Hackers have stolen the data of millions of EasyJet customers, including thousands of credit card numbers, the budget airline said in a statement on Tuesday.
A “sophisticated source” had accessed the email address and travel details of approximately 9 million customers, and the credit card details of 2,208, the company said.
EasyJet did not say when the attack took place. It said it was contacting all customers affected to offer support, and was working with the UK Information Commissioner’s Office (ICO) and National Cyber Security Centre.
EasyJet CEO Johan Lundgren apologized to customers, and he cited the coronavirus pandemic as a possible incentive for hackers.
“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams,” Lundgren said. “As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
The ICO told CNN Business that it is continuing to investigate the incident.
“People have the right to expect that organizations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary,” an ICO spokesperson said.
“Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks, and scam messages. We have published advice on our website about how to spot potential phishing emails,”the spokesperson added.
EasyJet grounded all 334 of its planes in Europe in March as a result of travel restrictions across the region due to the pandemic, only operating rescue flights to repatriate citizens.
The airline has not confirmed when it will start flying again, telling customers it is currently canceling flights on a seven-day rolling basis, though flights are available for booking on the company’s website from May 29.