Budget airline easyJet has informed UK regulators that is has been subject to a “highly sophisticated cyber-attack”.
The carrier said email addresses and travel details of around nine million customers were accessed as well as the credit card details of 2,208 customers.
All affected customer will be contacted within the next few days and offered advice and assistance, the firm said.
EasyJet said it took immediate steps to close down access to the data, bringing in forensic investigators and notifying the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
EasyJet said passport details and credit card details of customers were not accessed other than for a “very small subset of customers”.
It reported that 2,208 credit card details were accessed and that action has already been taken to contact all of these customers.
The airlines added that it “takes issues of security extremely seriously and it continues to invest further to enhance its security environment”.
In a statement, easyJet said: “There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.
“We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.”
Chief executive Johan Lundgren said: “We take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.
“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.
“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.
“We would like to apologise to those customers who have been affected by this incident.”
Podcast: Summer dreams ripped at the seams?