Easyjet has revealed that the personal details of nine million customers have been accessed by “highly sophisticated” hackers.
The discount airline – currently mired by the grounding of flights because of the coronavirus crisis and a leadership tussle led by its founder – said it discovered the data breach in late January and was in the process of notifying those affected.
It stressed there was no evidence that data had been misused by criminals.
The Information Commissioner’s Office (ICO), Britain’s data watchdog, said it was investigating the incident.
Easyjet said it believed that the email addresses and travel details of nine million people were exposed along with the credit card details of more than 2,200 customers.
The airline said passport and credit card details were otherwise secure.
According to Reuters the attack is thought to have been conducted by a suspected Chinese hacking group which has targeted multiple airlines in recent months.
Easyjet began to inform those whose card details were accessed in April and “following discussions” was now notifying other customers.
The reason that it had taken from January until April to contact people was because of the time taken “to understand the scope of the breach”, which was “highly sophisticated”, a spokesman said.
Easyjet’s statement said: “There is no evidence that any personal information of any nature has been misused, however… we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
It added: “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.
“Easyjet is in the process of contacting the relevant customers directly and affected customers will be notified no later than 26 May.”
The company said it had been working with the Information Commissioner’s Office (ICO) and National Cyber Security Centre since discovering the hacking.
An ICO spokesperson said: “We have a live investigation into the cyber attack involving easyJet.
“People have the right to expect that organisations will handle their personal information securely and responsibly.
“When that doesn’t happen, we will investigate and take robust action where necessary.”
British Airways, in the process of cutting 12,000 jobs to reshape itself for the future beyond the COVID-19 pandemic, is currently on notice from the ICO for a £183m fine over a similar breach in 2018 that coincided with tougher new powers for the regulator to punish sloppy protections.
The details of 500,000 customers were compromised in that incident.
Easyjet’s disclosure comes at a critical time for its leadership as it battles a series of challenges including a meaningful return to the skies as the coronavirus pandemic eases.
The airline’s founder and biggest shareholder Sir Stelios Haji-Ioannou’s family is also seeking to remove chief executive Johan Lundgren and three other members of the board in a shareholder vote due this Friday.
The row centres on a £4.5bn order for new planes from Airbus which Sir Stelios argues should be scrapped.
Sky News has previously revealed a bizarre twist over his offer of a £5m reward for information that leads to the deal being cancelled.
The tycoon wants the cash to be used instead to help the company emerge stronger from the pandemic crisis.
Easyjet has furloughed thousands of staff and borrowed £600m under a government-backed financing scheme.