EasyJet hack could have scam knock-on effect for victims

On 19 May 2020 it was announced that EasyJet had been breached in a cyber attack. Email addresses and travel information of around 9 million customers were exposed. There was also unauthorised access to the credit card details of 2,208 customers.

Dr Jason Nurse from the Kent Interdisciplinary Research Centre in Cyber Security, has commented on the implications that may be faced by those who have had personal data hacked. He said:

‘It is clearly a difficult time for the travel industry considering the impact of COVID-19 on operations. A cyber-attack is the last thing an airline would want to deal with now.

‘This breach happens to be yet another instance of targeted attacks on the airline industry. This follows the British Airways breach in 2018 exposing details of around 500,000 customers, the Air Canada attack in 2018 thought to impact around 20,000 accounts, and the Cathay Pacific hack also in 2018 affecting up to 9.4 million passengers. Across these data breaches, various types of personal information have been exposed, including names, passport numbers, nationality, date of birth, phone number, email addresses, credit card details and travel history.

‘While the temptation may be to consider the EasyJet breach as less significant given that a large variety of personal information does not appear to have been exposed, the significance arises due to the timing of this data leak.

‘Cybercriminals have significantly ramped up attacks and cybercrime activities during the ongoing coronavirus pandemic. Scams and phishing attacks are a particularly common method as they are easy for fraudsters to launch. To increase the success rates of these attacks, criminals use information about individuals to trick them into believing scams.

Travel details, such as those exposed in the EasyJet breach, are a perfect example of this information considering that people would expect that only their airline or hotel provider would know these details.

Travellers are therefore more likely to fall for scams using this data (e.g., an email pretending to be from EasyJet offering a flight refund), and put themselves at risk of losing money or further personal data. This therefore represents a significant attack which could have wide implications.

‘If your data has been exposed, EasyJet should be contacting you over the next week. In that case, stay alert and follow our tips for protecting against online fraud and scams.’

Dr Jason Nurse is a Lecturer at Kent’s School of Computing and belongs to the Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) and Cyber Security Group. His research focuses on the interaction between users and aspects of cyber security, privacy and trust.

 The University’s Press Office provides the media with expert comments in response to topical news events. Colleagues who would like to learn more about how to contribute their expertise or how the service works should contact the Press Office on 3985 or pressoffice@kent.ac.