back to article Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed

Budget British airline Easyjet has been hacked, it has told the stock markets, admitting nine million people's details were accessed and more than 2,000 customers' credit card details stolen. Some information about the attack was released to the London Stock Exchange by the company, which claimed it had been targeted by "a …

  1. Mike Shepherd
    Meh

    Highly sophisticated

    Incompetent data controllers often claim to be victims of "highly sophisticated" attacks, despite taking security "extremely seriously".

    An unkind person might suggest that many don't think much about whether a database is private / don't check incoming messages against buffer sizes / never heard of SQL injection. To them, I suppose, any attack is "highly sophisticated".

    1. BebopWeBop
      Thumb Down

      Re: Highly sophisticated

      Not to mention apologising for their "robust security measures,"

    2. Paul Herber Silver badge
      Pint

      Re: Highly sophisticated

      I can even schpell it when I'm shober!

    3. Anonymous Coward
      Anonymous Coward

      Re: Highly sophisticated

      A 'highly sophisticated' attack in their parlance would be something like:

      for ((i=0; i<=9999999; i++)); do wget https://easyjet.com/customerPortal/creditCardDetails?customerId=$i; done

      1. Anonymous Coward
        Anonymous Coward

        Re: Highly sophisticated

        I suspect the people who "hacked" them were not quite up to the sophistication of using a loop - they probably still did it manually.

        Or in Basic.

        1. Anonymous Coward
          Anonymous Coward

          Re: Highly sophisticated

          If I we're going to get 9 million peoples details in a "sophisticated hack", I'd probably do the following:

          1. Start an airline called EasyJet.

          2. Run a shit service for many years.

          3. Appoint a board of shitty execs.

          4. Walk away with the data.

          This is pretty sophisticated, especially 1, running an airline that balances price with poor quality is pretty tricky because you have to be just good enough that people won't complain because the price is just right.

          1. TRT Silver badge

            Re: Highly sophisticated

            It's the customers' own fault. They didn't pay the £5 supplemental charge for the cyber security option.

      2. katrinab Silver badge
        Meh

        Re: Highly sophisticated

        Which language is that?

        in csh it would be:

        foreach i (`seq 1 9999999`)

        wget https://easyjet.com/customerPortal/creditCardDetails?customerId=$i

        end

        In bash it would be:

        for i in {1..9999999}; do wget https://easyjet.com/customerPortal/creditCardDetails?customerId=$i; done

        in powershell it would be

        for ($I=0; $I -le 9999999; $I++) {wget https://easyjet.com/customerPortal/creditCardDetails?customerId=$i}

        1. FrogsAndChips Silver badge

          Re: Highly sophisticated

          You should learn about this new language called "pseudo-code".

          1. Anonymous Coward
            Anonymous Coward

            Re: Highly sophisticated

            You could try pasting it into a bash shell to see for yourself?

    4. John Riddoch
      FAIL

      Re: Highly sophisticated

      Yeah, that's my normal thinking. "Sophisticated" is code word for "they were smarter than we were". Doesn't say at an absolute level how smart either side was... It's spin from the corporate types to avoid making themselves look incompetent.

      1. Doctor Syntax Silver badge

        Re: Highly sophisticated

        It's spin from the corporate types to avoid making themselves think they look incompetent.

        FTFY

        To the rest of us things look a bit different.

      2. Anonymous Coward
        Anonymous Coward

        Re: Highly sophisticated

        Offshore coding.

      3. macjules

        Re: Highly sophisticated

        Well, at least they informed that well known web security organisation - the London Stock Exchange.

    5. Anonymous Coward
      Anonymous Coward

      Re: Highly sophisticated

      They went further and didn't claim the attack was sophisticated just that the attacker was sophisticated. That is quite some claim - do they know the attacker?

      The fact that they "have now closed off the unauthorised source" makes is sound like it is totally not sophisticated at all. Either they've closed off a backdoor, a bug etc or they've removed access to a previous employee. None of which is that sophisticated.

      1. Handlebars

        Re: Highly sophisticated

        Maybe a sophisticated attacker is just someone who enjoys fine whiskey and cigars?

        1. Rich 11

          Re: Highly sophisticated

          A night at the opera and a day at the races.

          1. tony2heads

            Re: Highly sophisticated

            Groucho?

    6. Anonymous Coward
      Anonymous Coward

      Re: Highly sophisticated

      Wasn't the TalkTalk attack originally 'highly-sophisticated' - before it was revealed it was some script kiddies playing with freely-available tools on an unsecured Tiscali database?

      Still, it's not like the then-management of TalkTalk are doing anything vital these days are they?

      https://www.gov.uk/government/news/new-chair-of-coronavirus-test-and-trace-programme-appointed

      1. Anonymous Coward
        Anonymous Coward

        Re: Highly sophisticated

        Please tell me no. Please! I already did not want to be on this planet. Or with these people. Now I've gotta find some new reality as they seem to have destroyed everything. :(

        1. Dan 55 Silver badge

          Re: Highly sophisticated

          I'm starting to believe the UK is a full-fledged kakistocracy and there's no way back from it.

      2. lordminty

        Re: Highly sophisticated

        "on an unsecured Tiscali database"

        It was worse than that wasn't it? Application and DB all on a single Internet-facing server.

        The IT version of leaving going out and leaving all your house doors and windows open with a big sign saying 'Criminals Welcome' hanging outside.

    7. Anonymous Coward
      Anonymous Coward

      Re: Highly sophisticated

      Or an even simpler case of "Lets outsource the database management. It will be cheaper as the overseas support company can do it cheaper than our in-house team". To then come in one day and find the database deleted. WTF! It surely wasn't the cheaper overseas support company that did it? Oh yes, oh yes it was. The incompetent local IT manager who was the 1st line manager before somehow getting the 2nd line managers roll despite being an incompetent fuck as a 1st line manager. Who also frequently exposing HR confidential info to their mate because they'd got it from their HR buddy. But cause their mate had a big mouth we also heard it. hadn't been managing properly, so had left a support account wide open for them to come and go as they pleased with no records. So said overseas company had a rogue employee who connected in with the unattended account that should of been locked and used it to delete the database. They were caught and charged eventually but a simple rogue employee can cause all sorts of issues.

      What fun.

      1. eamonn_gaffey

        Re: Highly sophisticated

        ...this is how it happens folks. Pursuit of cheap and nasty outsourced IT "services", means you will get what you pay for - one day. The dicks who set up such, no doubt got nice pay rises and bonuses, and are long gone elsewhere. What fun, indeed.

      2. Tom 38
        Headmaster

        Re: Highly sophisticated

        ... The incompetent local IT manager who was the 1st line manager before somehow getting the 2nd line managers roll ...

        Was it cheese and ham? Any mayo or salad?

    8. Anonymous Coward
      Anonymous Coward

      Re: Highly sophisticated

      scott

      tiger

    9. Evil Auditor Silver badge
      Devil

      Re: Highly sophisticated

      "That's funny: when you type your password in this comments section, it is transformed to ******** after submitting. Try yourself!"

      scnr

      1. not.known@this.address
        Facepalm

        Re: Highly sophisticated

        "Evil Auditor Silver badge

        Reply Icon

        Devil

        Re: Highly sophisticated

        "That's funny: when you type your password in this comments section, it is transformed to ******** after submitting. Try yourself!"

        scnr"

        correcthorsebatterystaple

        did it work?

        1. Evil Auditor Silver badge
          Thumb Up

          Re: Highly sophisticated

          Erm, yes.

          Thumb up for the xkcd reference. Or, maybe it wasn't: in one of my former lives our password policy explained how a "good" password should be constructed and also gave an example. As part of an access security audit we checked passwords. Young and naive I was rather surprised when finding how many users used that exact example as their password.

    10. JimboSmith Silver badge

      Re: Highly sophisticated

      I haven't used Easyjet until this year when we had a work trip to France. When I heard they'd been hacked I thought that's just typical of my luck. My immediate reaction was to call the bank and as I was fairly certain I'd paid on my debit card and ask them to check. Before I'd finished dialing I remembered the trip was paid for by work. Therefore the most they would have is my passport details. When I read more about it I realised unless they were really shoddy about it I'd be okay as we didn't fly until February.

      The boarding at both ends was a shambles and we were delayed because of it. They took hand luggage off people who had bags they'd tagged for the hold. These people had been let into the holding area before boarding which was a scrum and then their bags were taken....... I vowed there never to use Easyjet again.

  2. I_am_Chris

    Never store CC details

    This is why it is never a good idea to store your card details on any website. Never have done, never will.

    Also, in unrelated news, the website password is limited to only 20 characters <sigh>.

    1. Captain Scarlet Silver badge
      Mushroom

      Re: Never store CC details

      I hate max characters in passwords, it bloody annoying pasting in from my password manager of choice to be told the password can't be used!

      1. A Non e-mouse Silver badge
        Mushroom

        Re: Never store CC details

        Even worse when the "clever" website programmers prevent pasting into fields.

        1. Lunatic Looking For Asylum

          Re: Never store CC details

          Or the even stupider ones who use a different set of rules for registration than they do for logging in.

        2. FrogsAndChips Silver badge

          Re: Never store CC details

          That's why "highly sophisticated" password managers have auto-type!

      2. Anonymous Coward
        Anonymous Coward

        Re: Never store CC details

        It's even more annoying when your password manager's formula falls foul of a site's rules (e.g. no non-alphabetic characters etc.) that they couldn't be arsed to tell you about beforehand.

        1. SloppyJesse

          Re: Never store CC details

          Or those that only accept *some* symbols.

          Plenty don't accept £, presumably because it isn't easily typeable on a US keyboard.

          1. Anonymous Coward
            Anonymous Coward

            Re: Never store CC details

            More likely that £ doesn't occur in ASCII and thus codepage vs utf-8 starts to come into play and it's easier to limit password characters to the ASCII range.

            Anonymous because I speak from experience :-)

          2. MachDiamond Silver badge

            Re: Never store CC details

            "Plenty don't accept £, presumably because it isn't easily typeable on a US keyboard"

            I have no problem with typing £ on an American KB. That it's a bit of an odd finger move, all the better as it will be used less.

      3. That 9 Bit Guy
        Joke

        What idiot would use that?

        Good job EasyJet didn't use the same 6 digit code to protect their website as I use to lock my suitcase, even though they might have failed at security to open it.

        1. Anonymous Coward
          Anonymous Coward

          Re: What idiot would use that?

          Fine, now I am angry again. TSA managed to break one of their keys in the lock of my suitcase, so they cut it open and returned it to me in a plastic bag. They made sure there is enough red tape in place to prevent people file a complaint (or, god forbid, claim damages).

          Waste of oxygen, all of them.

          1. Cynic_999

            Re: What idiot would use that?

            If they can't get in with a TSA key, they just stick an awl into the zip and pull it open. You may be lucky and be able to pull the slide backwards over the opened zip - but usually it's a write-off.

      4. N2
        Mushroom

        Re: Never store CC details

        Worse still are the Uber wankers like Lloyds bank that wont allow the use of extended char set !@£$% etc.

        Icon is what they need>>

    2. Korev Silver badge
      FAIL

      Re: Never store CC details

      My work credit card supplier has a limit of nine with only letters and numbers allowed... It's also the card with the highest credit limit that I have.

      1. Anonymous Coward
        Anonymous Coward

        Re: Never store CC details

        What did you choose as a password?

        1. Gene Cash Silver badge

          Re: Never store CC details

          CorrectHo?

        2. Timmy B

          Re: Never store CC details

          password1 ? Nine characters. Letters and numbers. Totally secure!

          1. katrinab Silver badge
            Coat

            Re: Never store CC details

            Password1 is even better

            Or really push the boat out and go for Password1!

    3. Aged Cynic

      Re: Never store CC details

      And that "max 20 chars password" must not contain "special symbols" such as "&" or "*" !!?!!

      Just logged in to change my password but can't see where (or if) any Credit Card info is associated with the account

    4. Anonymous Coward
      Anonymous Coward

      Re: Never store CC details

      "...it is never a good idea to store your card details on any website"

      Doesn't make any difference. Either these details were slurped in real-time by a script on the transaction page or they were read from the database. Regardless of whether you "store your card details" on a website or not. They will be recorded as part of the transaction unless they are using a third party provider's system (which can also cause issues). Therefore they either need to two-way encrypt the card details and never store the CCV or never store the card details after the transaction has completed and then not have an easy way to securely do refunds. As a punter you won't know what they do with your card details after you have entered them and clicked submit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Never store CC details

        For refunds the common sense approach would be to only store the last 4 digits and get the customer to confirm the rest when processing the refund.

        1. Anonymous Coward
          Anonymous Coward

          Re: Never store CC details

          Which may cause other issues if done via a call. Can you really trust the operator on the other end not to write them down?

          There are 3rd Party tools to take the card details via the Num KeyPad, but then like a poster said above, this can cause other issues.

        2. MachDiamond Silver badge

          Re: Never store CC details

          "For refunds the common sense approach would be to only store the last 4 digits and get the customer to confirm the rest when processing the refund."

          A "confirmation" is when they read you information they have and you "confirm" that it is or isn't correct. I don't play that game they call "confirming my information" as the way I see it, I am giving out sensitive information. They don't seem to understand that, but since I've already been on hold for an hour, I'll wait another to talk with the supervisor.

      2. vtcodger Silver badge

        Re: Never store CC details

        Doesn't make any difference.

        I'm pretty sure you are correct for actual purchases. I'm unsure how the vendor could handle a chargeback or refund without having the CC number stashed with the transaction data. Likewise monthly subscriptions for services. The alternative to a stored CC for those would appear to be direct charges to your bank account. Somehow, that sounds even worse to me.

        But I think the OP was referring to vendors like Amazon who allow one to use a stored credit card number so one doesn't have to type it in every time they order a box of chocolates.

        I kind of wonder if it isn't about time for governments to start working on a set of explicit worldwide standards and conventions for digital commerce. Of course there might be a problem if it turns out that no set of standards and conventions that actually allows commerce and is also secure is possible.

        1. Stuart Moore

          Re: Never store CC details

          If they're doing it properly, then the credit card numbers will be passed to a CC processor, who will return a transaction number. If they want to refund the transaction, that's what they need. The CC processor will hold that link, but there are a small number of them and they can afford to do security a lot better (and understand that they need to do it).

          Likewise for repeating credit card payments, saved cards etc. done properly it will be passed to the CC processor who will return a token. That token can only be used by that merchant - so if the token does get exposed you can't use it all over the place.

          Of course, no guarantees that things are done properly, and it's very easy to e.g. turn on debug logging of all inputs without remembering there are some you definitely shouldn't be logging!

          1. vtcodger Silver badge

            Re: Never store CC details

            If they're doing it properly, then the credit card numbers will be passed to a CC processor, who will return a transaction number.

            So basically we replace a token known to me, the merchant, and my "bank" with a token known by the merchant, the "bank" and a trusted third party but unknown to me. I'm not sure that's a bad idea. But in addition to being kind of complicated, its potentially risky if the "trusted third party" turns out to be not so trustworthy. Or they ae compromised by -- say-- ransomeware. Or if they go out of business. Or if they decide to charge outrageous fees for their services.

            Don't get me wrong. Sometimes the best answer for a problem is more complicated than the simplest answer. But ...

        2. Remy Redert

          Re: Never store CC details

          Speaking from the far off lands of the Netherlands, but also available in some other European countries, we have a wonderful system called iDeal, where a transaction is stated in the vendor's environment, transferred via a single use number negotiated between vendor and bank and then finishes the transaction in the bank's environment.

          We also use IBAN, which can be used to transfer money to an account and identify the account, but cannot be used to charge the account without jumping through a bunch of hoops at which point a large part of the responsibility lies with the bank.

          Obviously this is less attractive for Amazon and all, because they can't use their one click purchasing with these systems.

      3. Doctor Syntax Silver badge

        Re: Never store CC details

        "As a punter you won't know what they do with your card details after you have entered them and clicked submit."

        Perhaps it's time sites were legally obliged to tell punters what they do.

      4. TkH11

        Re: Never store CC details

        Yes it does make a difference as it means a certain attack vector is no longer possible. That reduces the risk of compromise of the card data.

        It doesn't completely eliminate the risk as different threat actors may adopt a different attack vector.

        But the idea that it's not worth implementing the measure because it doesn't entirely eliminate the risk is flawed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Never store CC details

          Doesn't stop a vector as you don't know whether the card details are being recorded anyway as part of the transaction. Therefore there would be no vector that you're eliminating.

          In fact you'll probably find that the sites that allow you to store card details are probably much more secure than the ones that don't. Ones that ask you to store card details are *likely* to have put a lot of thought into the security of such a feature. Those that don't may have rally rubbish security and still be recording the details.

          Not necessarily so of course, and it doesn't mean that you should store your card details, I don't for most sites. However the idea that using sites for CC details means they aren't stored is plain wrong in many cases.

    5. Anonymous Coward
      Anonymous Coward

      Re: Never store CC details

      This is why it is never a good idea to store your card details on any website. Never have done, never will.

      They're welcome to my vcard ones - the details change after every transaction :).

      The only issue is is that it has become such a habit that I forget it's not very useful for subscriptions. Sorry, Akeeba :).

    6. D@v3

      Re: EasyJet password policy

      also limits certain 'special' characters

  3. hmv

    I wonder just how many times the NCSC face-palms when they learn the details of what "a highly sophisticated source" did to get the data.

    And just how necessary is it to store credit card data anyway? I know /we/ don't and we do take such payments.

    1. Richard 12 Silver badge
      Facepalm

      Or their server was hit

      And a nice little script added that copies all the CC info off to to miscreant, who can do what they will.

      Same thing that BA failed to notice for quite some time. I wouldn't be surprised if it was the same code, implanted in exactly the same way.

      1. Anonymous Coward
        Anonymous Coward

        Re: Or their server was hit

        .. or potentially learned the lesson for their direct competitor, deployed RiskIQ and put FIM on their web server / script servers?

    2. Anonymous Coward
      Anonymous Coward

      Offline payments

      The main reason for temporarily storing card details is to deal with offline payments. If the payment provider is down, or any fraud checking services respond with inconclusive results, then they are retried without keeping the customer waiting. Once it is verified as being legitimate/fraudulent then offline details are erased.

      So it could be the offline card details were accessed, and the cleanup process hadn’t run - potentially an overnight process?

  4. Tom 38

    Other reports are saying they became aware of this in January

    Its now May. What gives?

    1. Mike 125

      Re: Other reports are saying they became aware of this in January

      >What gives?

      Lazy security. It's the gift that keeps on giving.

      1. RSProutt

        Re: Other reports are saying they became aware of this in January

        You will find that it is not be that the Security Team being "lazy",

        What you will find that the Management has chosen not to implement certain Security controls in for "Business Reasons" even though the Security Team has demanded it.

        You will find that the Business will have a high turnover of Security Team as people join, try and do their best to secure the Business, then realise that the Management are not on board.

    2. Doctor Syntax Silver badge

      Re: Other reports are saying they became aware of this in January

      What gives? A big fine I should hope. Either that or 72 hours has a different meaning at Easyjet.

      1. Allonymous Coward

        Re: Other reports are saying they became aware of this in January

        72 hours has a different meaning at Easyjet.

        Your flight isn't cancelled, it's just delayed by 72 hours so you don't need a refund.

        1. Anonymous Coward
          Anonymous Coward

          Re: Other reports are saying they became aware of this in January

          EU261: if the flight couldn’t depart because of something outside of the control of the airline, like strikes, volcanoes, then no you are not entitled to it. If the airline had a technical problem or staffing issue, then yes, you will get a refund.

          Every airline in Europe works this way. Don’t think that easyJet are the only ones working like this.

    3. TkH11

      Re: Other reports are saying they became aware of this in January

      1. It is interesting the ICO won't release details of when they were notified. There is a legal time limit of notifying the ICO upon detection of the breach. This makes me think that EasyJet did not comply with the time limit.

      2. There is no legally mandated need or time limit to notify the customers, but if the ICO thinks you should have done, given the potential impact on the customer, and you haven't, the ICO can take that into consideration when determining the size of the fine

      If the breach was detected in January and EasyJet didn't notify customers to the beginning of April then the ICO should throw the book at them. But somehow I don't think they will.

      1. Anonymous Coward
        Anonymous Coward

        Re: Other reports are saying they became aware of this in January

        The ICO? They'll probably berate the customers for making Easyjet look bad by having had their details stolen.

      2. Quokka

        Re: Other reports are saying they became aware of this in January

        "There is no legally mandated need or time limit to notify the customers ..."

        Not true - article 34 GDPR gives the requirements for notifying data subjects that their data has been breached: that is why the ICO can take failure to notify into consideration in fining.

        1. FrogsAndChips Silver badge

          Re: Other reports are saying they became aware of this in January

          As per Article 34, the requirements for notification are very broad, leaving a lot to the appreciation of the data owner, and no time limits are specified other than "without undue delay".

  5. TheSirFin

    from Franco-German manufacturer Airbus??

    Really Il Reg?

    If it was funny, I wouldn't mind..... but its neither accurate or funny ..... so do please try again?

    Its headquarters, are in the Netherlands, the three largest countries involved are France, Spain and Germany, followed by UK and many other European countries ..... so maybe try something like "Euro-Bloc Flying Fortress" etc ......?

    There, that wasn't so hard now was it? ;-)

    1. Richard 12 Silver badge
      Unhappy

      Re: from Franco-German manufacturer Airbus??

      If Boris gets his way, there won't be any more Welsh wings

      1. Anonymous Coward
        Anonymous Coward

        Re: from Franco-German manufacturer Airbus??

        If *Airbus* gets its way, there won't be any more Welsh wings. Or any other parts manufactured in the UK.

        The buggers have been trying to get all manufacturing out of the UK since I started working at BAe Systems (or British Aerospace as it was back then) in the 1980s. They don't mind us designing everything but they don't want us to be able to actually build anything.

  6. Mike 137 Silver badge

    An exemplary response

    "As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue."

    I'm amazed they responded like this - must have taken some serious thinking to plan for.

  7. Khaptain Silver badge

    We took immediate steps to respond to and manage the incident

    "We took immediate steps to respond"

    Yup, we sent out some emails and also contacted people than can do nothing.

    "manage the incident "

    In other words we did our best to avoid GDPR fines.

    What we did NOT do was secure our data in the first place... and once the data is gone, it's gone, and soon to be for sale on the Dark Web....

    1. Doctor Syntax Silver badge

      Re: We took immediate steps to respond to and manage the incident

      "In other words we did our best to avoid GDPR fines."

      Their best might not be good enough if they became aware in January and only notified credit car holders in April.

    2. Anonymous Coward
      Facepalm

      Re: We took immediate steps to respond to and manage the incident

      > "We took immediate steps to respond"

      Yep - we immediately waited 3 months before telling customers.

  8. Anonymous Coward
    Anonymous Coward

    No mention of it on their website.

    I just logged on to change my password, I've not had an email saying I my details were part of the leak but it seems like something I should do.

    No sign of any information about this on their website yet or even an automatic prompt to change my password.

    1. werdsmith Silver badge

      Re: No mention of it on their website.

      I logged on to see if there was an option to delete my account but it seems not.

    2. FrogsAndChips Silver badge

      Re: No mention of it on their website.

      There's a banner at the top of the homepage linking to the security incident. One of the questions is "Do I need to reset my password details?"

  9. lordminty

    Did they use Stevie Wonder for their PCI-DSS audit?

    Sheesh, here we go again, another big name scrimping on IT security and using Stevie Wonder for their PCI-DSS audits.

    Sod the ICO/GDPR fines, the banks should just take away their ability to take card payments, its not like this stuff is actually difficult.

    If it's SQL injection again they really need to rethink their application and DB tiering, but I'll hazard a guess that everything is running on a single Internet-facing tier.

    I'd call them cowboys, but at least cowboys wear boots.

    1. Anonymous Coward
      Anonymous Coward

      Re: Did they use Stevie Wonder for their PCI-DSS audit?

      Have you ever thought that they’d done everything right, they organised pen tests regularly, patched their system and ran their payment environment just as PCI-DSS describes. It’s just they got hit with a zero-day or that one machine that was offline for 6 months suddenly became infected?

      I wouldn’t be too presumptuous to assume that it’s a TalkTalk breach all over again. Many companies in the sector and size of TalkTalk really did pay attention to it.

      Only the ICO report will tell us how sophisticated this attack was and what efforts easyJet went to to protect their customer data, applications and PCI environment.

      (However - judging by the DSG Retail ICO report, the ICO will be expecting easyJet run their whole organisation in a similar way to how the PCI-DSS environment is managed. If they’re organisational processes don’t at least align with PCI-DSS, that’s the first nail in the coffin.)

  10. macjules
    Facepalm

    OK, hands up ..

    Who here allows credit card details to be stored server-side, "for future purchases"?

    1. Fuzz

      Re: OK, hands up ..

      Done properly storing credit card details isn't a problem since the actual details themselves are never stored just a reference token that can only be used by that one merchant. Of course as an end user you have no idea if the website is going to do it properly or just chuck them into a table next to your email address and password.

      As mentioned in the article this most likely isn't Easyjet storing card details but some kind of script running on top of the website harvesting the card details as they are entered. It makes little sense that Easyjet would have card details stored in an accessible way for 2200 people only.

    2. ChrisCoderChap

      Re: OK, hands up ..

      Right now I'm coding the card-taking bit of a site I'm developing and no bloody way, my non-technical business partner wanted us to handle it all in-house to reduce transaction costs but I refused to. No way I'm being responsible for that sort of stuff.

      We're using a proper/expensive card processing company, storing nothing card-related for one-off payments and only storing a token to re-identify customers for repeat subscription charges, and I'm being super-paranoid about that, Azure Key Vault for the db connection string and authentication key for the card processor, proofs against sql injection of course, custom obfuscation of the tokens and key itself (because why not), super-locked down privileges about which users can initiate financial stuff (not the ones used by interactive sessions for a start, not even admin users!) and I'm still looking around to see what else I can do.

      The idea of leaking people's names and emails is scary enough, even for our small user-base, but card data; jeez, that's terrifying.

      1. Someone Else Silver badge
        Pint

        @ChrisCoderChap -- Re: OK, hands up ..

        Kudos to you, sir - - - - >

        Nice to see that there are web developers that have a sense of propriety, scope and sensibility. If only you weren't in the minority...

        1. ChrisCoderChap

          Re: @ChrisCoderChap -- OK, hands up ..

          Cheers, here in Bali I'd kill for a proper beer which looked like that...

          Now, if somebody can tell me how to persuade my code to get at the bloody Azure key vault when it's actually running on Azure that'd all be great, got my dev code using it fine but can't get the system test install to work, so it can't even open the database never mind process a transaction, it's one of those 'switch to branch, fight with it for half an hour, give up, do something less annoying for a while' problems !!

          1. Someone Else Silver badge

            Re: @ChrisCoderChap -- OK, hands up ..

            But...but...but...you're in Bali....

            Oh, the compromises we make!

      2. Anonymous Coward
        Anonymous Coward

        Re: OK, hands up ..

        > We're using a proper/expensive card processing company

        Have you looked into Stripe?

        1. ChrisCoderChap

          Re: OK, hands up ..

          >Have you looked into Stripe?

          We're using exactly them in fact, I say 'expensive' in comparison to not using them, I think their charges are perfectly reasonable.

          They're also the mandatory default in a way, the 2 other 'big boy' card processors we contacted seemingly weren't interested enough in our tiddler of a company to reply to my initial 'send their support folk a few questions and see if they respond' pings. Stripe came back to me almost instantly.

          The Stripe.net library is open source, I reported a bug in the new 36.12.1 recently (2 properties of a message type were marked internal rather than public by mistake), got a response in 10 minutes, they fixed it within half an hour and 36.12.2 was available in NuGet within the hour, I'd barely cloned the code and started working with a temporary fix before they'd released the fix-proper, now that's impressive !

          1. Anonymous Coward
            Anonymous Coward

            Re: OK, hands up ..

            Yup those Irish lads seem to know what they're doing.

            I integrated Stripe into someone's site (as a spare-time favour / hobby / curiosity) and really could not fault it compliance-wise.

      3. Anonymous Coward
        Anonymous Coward

        Re: OK, hands up ..

        Sound thinking - I agree entirely :-) my partner offloads all that to payment providers and she's running a Shopify account - terrified for the same reason. Super careful - keep nothing unless you have to

    3. RSProutt

      Re: OK, hands up ..

      The main website uses tokenisation of Credit Card details.

      If it wasn't then all customers details would have gone, this is most likely some 3rd party site which provides a service to EasyJet. Although it is still EasyJet who is responsible.

  11. Anonymous Coward
    Anonymous Coward

    I predict the ICO will announce with great fanfare that they've fined EasyJet hundreds of millions of pounds.

    Then, years later, you'll find they repeatedly deferred enforcement, eventually settling for 5000 in 2027.

    1. Warm Braw

      Easyjet would probably only offer them vouchers anyway...

    2. Bob7300

      "The Information Commissioner’s Office said in a prepared statement that it has “a live investigation into the cyber attack involving easyJet” but did not answer questions about when Easyjet notified it of the hack. The agency has previously said it will not be enforcing data protection or freedom of information laws during the coronavirus pandemic, something noticed by Wired magazine today."

      Wait, what?!?

      The agency has previously said it will not be enforcing data protection or freedom of information laws during the coronavirus pandemic

      WTF!

      1. TkH11

        I am hoping that does not mean EasyJet and any other company is being let-off their legal responsibilities. I expect the ICO to enforce the law and issue fines at a later date for those GDPR violations which occur during COVID-19, but I fear ICO will go easy on them and they won't be held accountable.

      2. batfink

        Agreed - this is insane. If anything, laws should be stricter during the current crisis as everyone drops their security standards to enable their people to work from home.

      3. IGotOut Silver badge

        You misreading it. They are not ENFORCING it at the moment. Doesn't mean they are ignoring it. Deferring is better wording. Companies will still get find, but courts are not running fully, their staff will be reduced and you could be building a case against a company that may not be around in 3 months time.

        Besides, better to hit them when they have some cash

        1. Anonymous Coward
          Meh

          Doesn't mean they are ignoring it

          They are not ENFORCING it at the moment. Doesn't mean they are ignoring it. Deferring is better wording.

          The Wired article quotes a letter received by a complainant from the ICO. "We have therefore decided not to take forward any complaints that require organisations to take action or respond to enquiries from us until the situation improves."

          If you receive a letter saying "we have decided not to take forward your job application", it means that the company isn't going to hire you, not that they are going to hire you in a couple of weeks time.

          It the ICO isn't processing these complaints until the end of the Covid crisis, but the complaints will be saved up an actioned after that, perhaps they should have actually said that instead of writing in ambiguous euphemistic bollocks management speak.

          1. not.known@this.address
            Trollface

            Re: Doesn't mean they are ignoring it

            Smooth Newt said "If you receive a letter saying "we have decided not to take forward your job application", it means that the company isn't going to hire you, not that they are going to hire you in a couple of weeks time."

            Conveniently overlooking the phrase "UNTIL THE SITUATION IMPROVES". Which puts a completely different spin on things when it's added to a statement...

            Personally, I agree with those who think the ICO will simply brush anything and everything they can under the carpet, given how effective they have been so far. But we can always live in hope,

            1. Anonymous Coward
              Happy

              Re: Doesn't mean they are ignoring it

              Smooth Newt said "If you receive a letter saying "we have decided not to take forward your job application", it means that the company isn't going to hire you, not that they are going to hire you in a couple of weeks time."

              Conveniently overlooking the phrase "UNTIL THE SITUATION IMPROVES". Which puts a completely different spin on things when it's added to a statement...

              "We have therefore decided not to take forward any job applications until the situation improves" doesn't mean you have been hired. It just means no-one else has either.

              The sentence they used was "We have therefore decided not to take forward any complaints that require organisations to take action or respond to enquiries from us until the situation improves." You hope the sentence means that processing of complaints is deferred but it just as easily means that complaints will be binned until the situation improves.

      4. DCdave

        and what the hell is a 'live investigation' of something that happened in January (and/or before)?

  12. taxman

    That's a first!

    So it is earier getting data and creadit card details from EasyJet than getting a refund on a cancelled flight!

    Was due to go to Krakow in March but as Poland shut the airport EasyJet cancelled the flights. Got a refund for the flight out - but the flight back has been deleted from my bookings making the task of applying for a refund a tad difficult. Trying the creditcard route but they are similarly in being un-cooperative.

    1. Martin Summers Silver badge

      Re: That's a first!

      Well that's one angle on it. Maybe the miscreants just wanted a refund for a flight from Easyjet. Obtaining and using someone else's credit card details from them was possibly the easiest way to achieve that.

    2. MachDiamond Silver badge

      Re: That's a first!

      Keep trying the CC company. If there is no booking on file but a charge on your card, that can't look good. All best done in writing.

  13. Chris Miller

    CVV should never be held

    The PCI DSS security standard for handling credit cards mandates this. If easyJet (subs note sp) were doing so (about as unlikely as storing their site password in clear text), they'll be in a world of trouble. The standard also requires all CC data to be strongly encrypted.

    1. Anonymous Coward
      Thumb Up

      Re: CVV should never be held

      The PCI DSS security standard for handling credit cards mandates this. If easyJet (subs note sp) were doing so (about as unlikely as storing their site password in clear text), they'll be in a world of trouble. The standard also requires all CC data to be strongly encrypted.

      Flaws in encryption are almost always around key management. Encrypting a block of data is just a library function call, but key management is a tricky design problem fraught with potential difficulties.

      1. TkH11

        Re: CVV should never be held

        Keys were probably held in the database alongside the data being protected by them.

  14. Paul Eagles
    Thumb Down

    Oh goody, so that's British Airways and now EasyJet who have let someone run away with my credit card details.

  15. SSOT

    There but for the grace of God go I

    The news nowadays is full of "hacks" sophisticated and otherwise. The good news is the increasing mindfulness we all have about IT security, the bad news obviously is for the victims. There always seems to be a lot of happy finger pointing in these posts, "I'm better than you" , "never going to happen here". Maybe. When I read about these stories my predominant thought is about redoubling my own efforts and worrying what I don't know or might have missed. The unknown unknown. The moment we allow ourselves that small moment of schadenfreude, or even smugness we run the risk of being the next victim.

  16. David Hall 1

    Not very pci friendly

    They are lucky it was only 2k cards. Can't see anyone being thrilled to find out they were storing ccvs...

    But since I doubt they were - my prediction is that they used their access to push a script to the booking platform. Looking at you BA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not very pci friendly

      Or used offline processing for fraud checks?

  17. FrogsAndChips Silver badge
    Facepalm

    From the official Easyjet statement

    "There is no evidence that any personal information of any nature, including credit card data, has been misused"

    Obviously, the attackers went after all that data just for the fun of it!

    1. batfink

      Re: From the official Easyjet statement

      This is the same line that TalkTalk used. The answer is still the same: just because you don't have any evidence doesn't mean it hasn't happened.

  18. VulcanV5
    Unhappy

    Chief exec Johan Lundgren apologised for the failings of his airline's "robust security measures," saying: "We would like to apologise to those customers who have been affected by this incident."

    Aside from the glaringly obvious fact that something which was "robust" cannot have failed, this is yet another example of the way the higher echelons of business in the UK (and elsewhere, too) are permeated with morons all using the same prayer book to lament the evils of others whilst absolving themselves of any blame.

    The idiot Lundgren must surely be on Dildo Harding's Christmas card list and vice versa. Amazing, the way this particular sub-species proliferates.

    1. Timmy B

      Robust does not mean invulnerable. You can do all you can try and thus be robust but there could be things outside your control. What about an inside man - we all have our price. Nothing is perfect.

      1. IGotOut Silver badge

        Indeed a medieval castle is a robust defence against attack, but the still fell.

  19. Welsh Skeptic

    When the BBC reported on this,they said that it bore all the hallmarks of a Chinese hacking team.

    I wonder did they get this information from EasyJet or was it something dreamt up by their inhouse disinformation team.

    Of course, they might have thought the Russian angle has been a little overplayed of late, who would care if it was Iran and as for North Korea that will be saved for another time.

    It will be interesting if what they mean by "sophisticated" ever emerges?

  20. I Am Spartacus

    Well, me too.

    "Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020."

    But I haven't booked a holiday with EasyJet for well over 3 years. Certainly not between 2019 and 2020.

    Me thinks the greek complains too much.

  21. MachDiamond Silver badge

    Just look at the bright side, free credit monitoring.

    Does anybody else have more free credit monitoring from numerous data breeches that it's seeming a bit redundant?

    I'm way past the point where I want to start seeing C-level execs in pillory and companies fined into oblivion and anybody with any security job posting to be in serious trouble of being able to take on subsequent employment in that field after enquiries are complete. It needs to be a major liability to store customer's PII and financial details. If it could mean company ending fines, maybe they'd take it far more serious. I'm more than happy to be John Smith 12345 for any miles account and type in my CC number each time. They don't need my bloody life story on file "to serve me better".

  22. greedygobbler

    You get what you pay for

    https://net.cs.uni-bonn.de/fileadmin/user_upload/naiakshi/Naiakshina_Password_Study.pdf

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon