back to article It wasn't just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims

Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline. As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet …

  1. O RLY

    Maybe easyJet don't need to continue as a business. Certainly the current travel culture will crank "survival of the fittest" up to 11 and easyJet seem anything but fit. It's hard to mourn a company, one of many, that doesn't take security seriously.

    1. Yet Another Anonymous coward Silver badge

      So we have flag carriers bailed out by their governments and all the cheap airlines go bust and we go back to paying £500 on 'British' Airways to fly to europe

      1. Anonymous Coward
        Anonymous Coward

        Some things in life are worth the expense. If they all skimp on security then complain. But don't complain a competitor is worse than those cutting corners on price.

        1. robidy Silver badge

          So BA didn't scrimp on security or the majority of other companies who've been hacked?

          Airlines are the target of nation state actors as not every country is allowed access to passanger lists for "vetting"..the security budget is not unlimited.

          Not being funny, but I get the feeling you don't manage security :)

          1. Yet Another Anonymous coward Silver badge

            I think when it comes to hacking, British Airways' approach could be described as "proactive"

          2. Anonymous Coward
            Anonymous Coward

            Was not a comment on security, but a comment on complaining expensive things are expensive. Same applies to security, it's expensive! But never mind, continue with the downvotes.

      2. elaar

        To be fair, most of the Easyjet flights to europe are a similar price to BA these days, and Ryanair often works out more expensive, from Stansted anyway.

      3. jospanner Bronze badge

        Welcome to capitalism. Turns out it doesn't work all that well.

        1. Symon Silver badge

          To paraphrase Sir Winston Churchill, “capitalism is the worst form of economic system, except for all those others that have been tried.” Cheers!

          1. codemonkey

            If you're "quoting" Churchill, then maybe you have to update your thinking, by, like, a few decades :D

            1. clyde666

              Churchill again

              I had a client who actually had a signed photograph of Churchill on his office wall. Seems the chap had visited the company when the present owner's dad owned it.

            2. ElectricPics

              Those that discard 'outdated' wisdom tend to be in greater need of it.

              1. Louis Schreurs Bronze badge

                Those living in the past can’t tell time.

        2. Anonymous Coward
          Anonymous Coward

          Depends on how far up the Corporate ladder you are. Those at the top seem to do very well. Consumers and those at the bottom - not so much.

          And as those at the top are the ones that seem to be in control.

          Having said that, whatever the political system, its the ones holding onto the power who benefit the most.

      4. gerryg

        On this Michael O'Leary has a point

        Passenger numbers show the success Ryanair had competing with the loss making dinosaurs but all for nothing if governments bail them out under the cover of Covid 19,

        1. robidy Silver badge

          Re: On this Michael O'Leary has a point

          Except when you want a refund....BA pay out no questions asked from an online request. Ryanair seem to think vouchers that expire in Dec 2020 are a cash refund.

          1. Anonymous Coward
            Anonymous Coward

            Re: On this Michael O'Leary has a point

            Yes, but that is classic O'Leary. He will not part with as much as a penny without a fight - after all, that one-way traffic is what made him rich.

            I suspect his next scam trick will be high admin charges on refund as high as the value of the refund, or only validating refund vouchers if they're printed in llama blood on the skin of a Yeti. He's going to make it impossible to get your money back, I expect him to keep doing that even while he's taken to court for it.

        2. Alan Brown Silver badge

          Re: On this Michael O'Leary has a point

          Ah, yes... "cheap flights"

  2. Steve Foster

    Stelios & EGM

    This isn't the first time Stelios has forced an EGM to be held, as he does like to throw tantrums from time to time. He basically thinks he always knows better than the EasyJet board - sometimes he might be right, but trying to throw his weight [vis his large shareholding] around like this just makes him look petty and vindictive.

    1. robidy Silver badge

      Re: Stelios & EGM

      He only owns 34% some needs to tell him the share price has tanked and to but to 50.1% if he wants control.

      He could do that with all the love 40 pence a share divideds he's been getting.

      1. Prst. V.Jeltz Silver badge

        Re: Stelios & EGM


        1. robidy Silver badge

          Re: Stelios & EGM

          It was the Ryanair budget spelling and garmmar checker in klingon...English is a paid for extra.

    2. Steve Graham

      Re: Stelios & EGM

      I've seen quotes from him that make it clear that he suspects corruption in the procurement of the Airbus contract.

      (It was only January this year when the USA, UK and France imposed huge fines on Airbus for bribery in other deals.)

      1. Saruman the White

        Re: Stelios & EGM

        Accusations are easy for Stelios to make. Maybe he should ante up some evidence to support his claims.

        1. Insert sadsack pun here

          Re: Stelios & EGM

          He has in fact offered a payment to anyone that sends him evidence. Despite him describing that person as a whistleblower, anyone sending Stelios evidence of that bribery instead of to the cops or their own boss first will be in a world of pain. Good news for laywrs tho

      2. ElectricPics

        Re: Stelios & EGM

        He's probably right. After all, he'll have been on the receiving end of the odd bung so he should know.

  3. Mike Richards

    DPA 2018?

    So, when did EasyJet inform the ICO?

    From memory, under the DPA 2018 they have 72 hours to refer themselves after discovering the breach which doesn’t seem to fit with an announcement this week of a hack that occurred a couple of months ago and which left customers vulnerable to fraud.

    1. Nifty Bronze badge

      Re: DPA 2018?

      A spokesman for EasyJet said the airline notified the ICO, which it is obliged to do within 72 hours of discovering a breach, in January.

      I think that doesn't mean the ICO needed to make it public, it may help the investigation not to do so immediately.

      1. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    We are very sorry this has happened.

    says Michael O'Leary, this (...) (...)

    1. Overflowing Stack

      Re: We are very sorry this has happened.

      Michael O'Lardy of Brianair "Easyjet want to give your details away, we want you to know we've sold them and you'll have to pay to get them back"

      1. Yet Another Anonymous coward Silver badge

        Re: We are very sorry this has happened.

        All Ryanair's customers got leaked int he sports direct hack

    2. macjules Silver badge

      Re: We are very sorry this has happened.

      If RyanAir had done this they would have charged their customers to inform them of the breach.

  5. IGotOut Silver badge

    Credit Monitoring

    Is available for a small upgrade charge.

    1. robidy Silver badge

      Re: Credit Monitoring

      ...payable to the new Easyjet western union 419 account.

      1. SuperGeek

        Re: Credit Monitoring

        "...payable to the new Easyjet western union 419 account.". Owned by the ever so lovable George Agdgdgwngo! Just a sort code needed!

  6. Anonymous Coward
    Anonymous Coward

    Just to point out

    That in the circumstances, any non-UK based EU-resident customers can take up the matter directly with their own national data protection office, in light of the concerns raised by the ICO's (non-)handling of this matter (and numerous others).

    Also, I haven't checked which legal entity is responsible for the data. EZY being spread over a number of countries, it is possible it is not even a UK entity.

    1. robidy Silver badge

      Re: Just to point out

      Their privacy policy has some weasel words about GDPR and references to Swiss law but I can't see how it would escape the clutches of GDPR thankfully :)

      This bit of their privacy policy left me laughing my head off -

      "Furthermore, easyJet is a PCI DSS compliant organisation. This means that we adhere to high security standards in order to protect your payment card details when you are sending us this information.

      The information that you provide to us will be held in our systems, which are located on our premises or those of our appointed suppliers.

      As described in this Privacy Policy, we may in some instances disclose or allow access to your information by third parties who act for us for the purposes described in this policy or for other purposes approved by you. Where these third parties process your personal data on our behalf, we require that they have appropriate technical and organisational measures in place to protect this data."

      1. idiottaxpayerhere previously ishtiaq/theghostdeejay

        Re: Just to point out

        that in the article it says that no payment card details were stolen

        Cheers… Ishy

        1. robidy Silver badge

          Re: Just to point out

          ...apart from the bit that says "though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack."

      2. Steve Graham

        Re: Just to point out

        An acquaintance received the email regarding the exposure of her credit card details. It explicitly states that the information included the CVV, which I think means that Easyjet are not PCI DSS compliant.

        1. 142

          Re: Just to point out

          > the information included the CVV, which I think means that Easyjet are not PCI DSS compliant.

          That depends on if they were stolen from Easyjet's systems. Speculation appears to be that it was malicious code inserted into the website that siphoned off the details client-side.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just to point out

            .. which is still Easyjet's problem as they're the primary for the transaction. Thankfully you can't outsource a risk, you still own it (although many directors keep trying).

            They can then, in turn, take the outsourcer to court, but they're definitely on the hook.

      3. seven of five Silver badge

        Re: Just to point out

        iirc, gdpr is valid in switzerland as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: Just to point out

          Not quite, but Swiss privacy laws exceed GDPR in a number of aspects (it makes certain activities criminal, for instance) so being Swiss compliant means your only concerns then are merely procedural.

  7. Warm Braw Silver badge

    The helpful "personal" message from CEO Johan Lundgren

    As soon as we became aware of the attack, we took immediate steps to manage and respond to the incident, closing off the unauthorised access. We engaged leading forensic experts to investigate the issue and we also notified the National Cyber Security Centre and the Information Commissioner’s Office (ICO).

    Which sounds remarkably like "as soon as we aware of the pandemic we took the right measures at the right time and followed the scientific advice". He even adds:

    You do not need to take any action apart from continuing to be alert.

    It's almost as if Dominic Cummings was moonlighting for Easyjet during his little sojourn at his parents' house. If so, he can credit himself on devising the universal platitude for all crises.

    1. robidy Silver badge

      Re: The helpful "personal" message from CEO Johan Lundgren

      Wonder if he's also written the new BrianAir eye site test?

  8. Nifty Bronze badge

    Is hacking too easy?

    I'm assuming in my naivety that the customer details were stored in an encrypted database but the hackers got the decryption keys, so were able to do a bulk data slurp.

    Is it really not possible to design a system that only allows access to one customers record at a time? With some sort of technology (e.g. like a captcha) to prevent a bot from accessing successive records incrementally even within the company intranet? What technology do the police use for accessing criminal records?

    1. pstones578

      I stopped doing this years ago

      The challenge is if a bad actor gets in and has the credentials / tokens / keys etc. to access the data then encryption is not enough. There needs to be monitoring in place to detect bad behavior and either automatically shut it down or alert a team that should respond immediately.

    2. Morten Bjoernsvik

      Re: Is hacking too easy?

      >What technology do the police use for accessing criminal records?

      I Norway we have centralized login: where there are 3 different providers and 6 different 2FA ways to authenticate. This login-service is used to access any official records by customers and internals alike. It covers usb-sticks, smartcards and login tokens and soon yubikey fido2 devices. Its govern by an own governmental directorate

      Soon a service that scans your passport will come alive. It will take you from zero legitimation level to top in one go. Making the onboarding fully digital and much faster.

      Each provider need a lot of independent backend services from various other providers, so it means compromising one wont compromising the entire chain.

      1. robidy Silver badge

        Re: Is hacking too easy?

        You have political leaders...we have boris johnson...who's even ridiculed by Max Hastings...his former boss who is also right wing.

    3. Pascal Monett Silver badge

      Re: only allows access to one customers record at a time

      Database system are designed to be as fast as possible, not to impose delays. You need to understand that there is not just one terminal (aka PC) making requests to the database, there are hundreds, if not thousands. You have the hostesses in the airports, registering luggage, you have travel agents querying the best way for their customer to travel, you have people on the Internet looking it up for themselves, and there is probably a bunch of other possible ways to send demands that I haven't the foggiest idea of.

      If you create a system where only one request can be served at a time, you are basically choking the whole system beyond usability and the whole thing collapses.

      1. robidy Silver badge

        Re: only allows access to one customers record at a time

        Of couse it's possible, you need the will to implement the maybe a bit of a bigish budget :)

      2. Nifty Bronze badge

        Re: only allows access to one customers record at a time

        I didn't say that only one record should exclusively be read at a time, rather, there needs to be a way to prevent bulk access. Websites have Capchas to check a bot is not doing the accesses.

  9. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    January? March? Which is it?

    If the hack was discovered in January, why have I been notified that details of my 29 Feb flight (booked a week earlier) have been stolen?

    Did it take them 2 months to shut off the leak? Seriously?!

    1. Free treacle

      Re: January? March? Which is it?

      Going to have to hypothise, but the time taken for a hack to be discovered and learning the extent of a breach are not always the same thing. They may have had to arrange a third party to come in to search through (perhaps?) incomplete/scant datasets and correlate evidence of what was actually exposed (and maybe they cut costs there too).

      Customers should have been informed, countermeasures should have been put in place to secure personally identifiable data, money should have been spent by Easyjet (hah!). I don't have a high opinion of Easyjet (hence this borderline rant) and maybe they didn't take this seriously enough, but there that is why I believe they may have delayed informing customers (crossing their fingers it was something insignificant).

  11. Anonymous Coward
    Anonymous Coward

    If I were the chairman of Easyjet or Airbus I'd have issued libel proceedings. I'm fed up of rich people, when they don't get their way, of mouthing off. Obviously, the vote was fairly conducted, and to claim otherwise is an attack on their integrity and impartiality.

  12. gerryg

    Never forget the Mandy Rice-Davies aphorism

    They say no credit card or passport details were lost. I have no idea. Will the data they have lost be put in deep freeze until things calm down? The travel itinerary was largely irrelevant not least as the flights were cancelled so the burglar would have found me in. Reassuring messages from some bloke I have never heard of... "Well he would say that, wouldn't he?"

    1. ITS Retired

      "They say no credit card or passport details were lost."

      That means the information was copied and not cut and pasted.

  13. Anonymous Coward
    Anonymous Coward

    Budget airlines

    Not sorry to see them go TBH

  14. Persona Silver badge

    Oh dear.

    So the hackers also know about my flight EZY8223 to Valencia on 13th January, oh my. The hack could also explain why my credit card company issued me with a new card with a new number even though the old one was not due to expire. Whilst having to change card details here and there is mildly inconvenient it's certainly not going to stop me using EasyJet once they start flying again.

    1. vtcodger Silver badge

      Re: Oh dear.

      There are a lot of folks out there who sincerely believe that personal details hacked from the Internet are a marketable entity of great worth. Credit card account info, yeah, I can believe there is marketplace in some dingy corner of the dark web where that can be sold for a tiny fraction of a Bitcoin. (How does one do that BTW? Bitcoins aren't pieces of eight that any fool could carve up with a chisel.) But who, in or out of their right mind, would pay for your travel itinery?

      1. autisticatheist

        Re: Oh dear.

        "But who, in or out of their right mind, would pay for your travel itinery?"

        Those who would like to burgle houses knowing the owners are away, perhaps?

        1. Persona Silver badge

          Re: Oh dear.

          So you are thinking that a burglar is going to invest in travel plans to hopefully locate a victim somewhere within reasonable driving distance safe in the knowledge that the house can't possibly be occupied by relatives or lodgers just because someone from there is on holiday?

          >99% of burglaries are opportunistic. The <1% that aren't wont be targeting EasyJet customers.

      2. batfink Silver badge

        Re: Oh dear.

        Dear Mr Codger - this is an important message regarding your Flight EZ986 from London to Barcelona, Booking Reference ZAJKYM.

        Your flight has been cancelled, due to the ongoing Coronavirus restrictions. We apologise for any inconvenience this may have caused you.

        Please click here for your refund.

        Signed, your friendly Easyjet team.

  15. anthonyhegedus Silver badge

    How do we know they didn't steal passport number details as well?

    1. Persona Silver badge

      What is the risk of your passport number being exposed. Mine is 509791552. Every hotel and car hire firm I have used in Europe has recorded that number so if there is a tangible risk surely I would have to have changed my passport number by now?

      1. Anonymous Coward
        Anonymous Coward

        Thanks, I need a fake passport to take out a loan

        Always good to be able to use real data on a fake passport, then that person is really on the hook and nobody will come after the scammer. Would you mind supplying your name as well, so I don't have to look it up in the data?

        You don't mind paying my loan back when they come looking for you, right?

        1. Persona Silver badge

          Re: Thanks, I need a fake passport to take out a loan

          Don't be lazy: find it out yourself. Hint - if you want passport details, hotel reception staff are on not much more than minimum wage. No doubt £50 would get you photocopies of half a dozen passports. For a bit more you could also get the matching credit card details and address.

  16. NotJustAStorageDude

    At least it makes your refund easier

    ..for the flight that they instantly charged you for but will take 90 days to refund following cancellation. you can tell the credit card company that your booking must have been fraudulent as they shared your details with others!

  17. DCdave

    I tried to put in a GDPR data request

    To find out what the barstewards actually have, as opposed to what the email says they lost.

    But of course, there is a Google-inspired "to make sure it's you, we need a copy of your ID card or passport".

    WTF? You've lost my data, and now you want me to trust you with more so that you can pretend it's for security? Just how, exactly, are you going to verify that that copy I provide is valid in any way, especially if you are not storing my passport details like I requested?

    1. Dan 55 Silver badge

      Re: I tried to put in a GDPR data request

      I have an account from ages ago and wasn't notified by EasyJet. I haven't flown with them in years and no flights appear in the flight history, so after trying and failing to find the button for deleting my account and reading that same nonsense instead, I just decided to fill it up with random data and point the e-mail address to mailinator.

      1. Anonymous Coward
        Anonymous Coward

        Re: I tried to put in a GDPR data request

        Not an option for me, as I still have outstanding flights with them.

        I didn't provide all of the correct data, and got a response from them to my new email address, changed after I was notified, saying they couldn't find anything under that email address and did I have another one? Have now supplied them with the old email address and will see what I get back.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020