Maybe easyJet don't need to continue as a business. Certainly the current travel culture will crank "survival of the fittest" up to 11 and easyJet seem anything but fit. It's hard to mourn a company, one of many, that doesn't take security seriously.
It wasn't just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims
Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline. As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet …
COMMENTS
-
-
-
-
Saturday 23rd May 2020 06:10 GMT robidy
So BA didn't scrimp on security or the majority of other companies who've been hacked?
Airlines are the target of nation state actors as not every country is allowed access to passanger lists for "vetting"..the security budget is not unlimited.
Not being funny, but I get the feeling you don't manage security :)
-
-
-
This post has been deleted by its author
-
Monday 25th May 2020 10:42 GMT Anonymous Coward
Depends on how far up the Corporate ladder you are. Those at the top seem to do very well. Consumers and those at the bottom - not so much.
And as those at the top are the ones that seem to be in control.
Having said that, whatever the political system, its the ones holding onto the power who benefit the most.
-
-
-
-
Monday 25th May 2020 06:40 GMT Anonymous Coward
Re: On this Michael O'Leary has a point
Yes, but that is classic O'Leary. He will not part with as much as a penny without a fight - after all, that one-way traffic is what made him rich.
I suspect his next
scamtrick will be high admin charges on refund as high as the value of the refund, or only validating refund vouchers if they're printed in llama blood on the skin of a Yeti. He's going to make it impossible to get your money back, I expect him to keep doing that even while he's taken to court for it.
-
-
-
-
-
Friday 22nd May 2020 18:30 GMT Steve Foster
Stelios & EGM
This isn't the first time Stelios has forced an EGM to be held, as he does like to throw tantrums from time to time. He basically thinks he always knows better than the EasyJet board - sometimes he might be right, but trying to throw his weight [vis his large shareholding] around like this just makes him look petty and vindictive.
-
Friday 22nd May 2020 19:23 GMT Anonymous Coward
DPA 2018?
So, when did EasyJet inform the ICO?
From memory, under the DPA 2018 they have 72 hours to refer themselves after discovering the breach which doesn’t seem to fit with an announcement this week of a hack that occurred a couple of months ago and which left customers vulnerable to fraud.
-
Saturday 23rd May 2020 08:34 GMT Nifty
Re: DPA 2018?
A spokesman for EasyJet said the airline notified the ICO, which it is obliged to do within 72 hours of discovering a breach, in January.
https://www.telegraph.co.uk/technology/2020/05/19/easyjet-hit-highly-sophisticated-cyber-attack/
I think that doesn't mean the ICO needed to make it public, it may help the investigation not to do so immediately.
-
This post has been deleted by its author
-
-
-
-
Saturday 23rd May 2020 01:28 GMT Anonymous Coward
Just to point out
That in the circumstances, any non-UK based EU-resident customers can take up the matter directly with their own national data protection office, in light of the concerns raised by the ICO's (non-)handling of this matter (and numerous others).
Also, I haven't checked which legal entity is responsible for the data. EZY being spread over a number of countries, it is possible it is not even a UK entity.
-
Saturday 23rd May 2020 09:23 GMT robidy
Re: Just to point out
Their privacy policy has some weasel words about GDPR and references to Swiss law but I can't see how it would escape the clutches of GDPR thankfully :)
This bit of their privacy policy left me laughing my head off -
"Furthermore, easyJet is a PCI DSS compliant organisation. This means that we adhere to high security standards in order to protect your payment card details when you are sending us this information.
The information that you provide to us will be held in our systems, which are located on our premises or those of our appointed suppliers.
As described in this Privacy Policy, we may in some instances disclose or allow access to your information by third parties who act for us for the purposes described in this policy or for other purposes approved by you. Where these third parties process your personal data on our behalf, we require that they have appropriate technical and organisational measures in place to protect this data."
-
-
Sunday 24th May 2020 21:53 GMT 142
Re: Just to point out
> the information included the CVV, which I think means that Easyjet are not PCI DSS compliant.
That depends on if they were stolen from Easyjet's systems. Speculation appears to be that it was malicious code inserted into the website that siphoned off the details client-side.
-
-
-
Saturday 23rd May 2020 07:13 GMT Warm Braw
The helpful "personal" message from CEO Johan Lundgren
As soon as we became aware of the attack, we took immediate steps to manage and respond to the incident, closing off the unauthorised access. We engaged leading forensic experts to investigate the issue and we also notified the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
Which sounds remarkably like "as soon as we aware of the pandemic we took the right measures at the right time and followed the scientific advice". He even adds:
You do not need to take any action apart from continuing to be alert.
It's almost as if Dominic Cummings was moonlighting for Easyjet during his little sojourn at his parents' house. If so, he can credit himself on devising the universal platitude for all crises.
-
Saturday 23rd May 2020 08:24 GMT Nifty
Is hacking too easy?
I'm assuming in my naivety that the customer details were stored in an encrypted database but the hackers got the decryption keys, so were able to do a bulk data slurp.
Is it really not possible to design a system that only allows access to one customers record at a time? With some sort of technology (e.g. like a captcha) to prevent a bot from accessing successive records incrementally even within the company intranet? What technology do the police use for accessing criminal records?
-
Saturday 23rd May 2020 10:52 GMT pstones578
I stopped doing this years ago
The challenge is if a bad actor gets in and has the credentials / tokens / keys etc. to access the data then encryption is not enough. There needs to be monitoring in place to detect bad behavior and either automatically shut it down or alert a team that should respond immediately.
-
Saturday 23rd May 2020 11:01 GMT Morten Bjoernsvik
Re: Is hacking too easy?
>What technology do the police use for accessing criminal records?
I Norway we have centralized login: http://www.idporten.no/ where there are 3 different providers and 6 different 2FA ways to authenticate. This login-service is used to access any official records by customers and internals alike. It covers usb-sticks, smartcards and login tokens and soon yubikey fido2 devices. Its govern by an own governmental directorate https://www.difi.no/
Soon a service that scans your passport will come alive. It will take you from zero legitimation level to top in one go. Making the onboarding fully digital and much faster.
Each provider need a lot of independent backend services from various other providers, so it means compromising one wont compromising the entire chain.
-
Monday 25th May 2020 01:40 GMT Pascal Monett
Re: only allows access to one customers record at a time
Database system are designed to be as fast as possible, not to impose delays. You need to understand that there is not just one terminal (aka PC) making requests to the database, there are hundreds, if not thousands. You have the hostesses in the airports, registering luggage, you have travel agents querying the best way for their customer to travel, you have people on the Internet looking it up for themselves, and there is probably a bunch of other possible ways to send demands that I haven't the foggiest idea of.
If you create a system where only one request can be served at a time, you are basically choking the whole system beyond usability and the whole thing collapses.
-
-
This post has been deleted by its author
-
-
Saturday 23rd May 2020 12:53 GMT Free treacle
Re: January? March? Which is it?
Going to have to hypothise, but the time taken for a hack to be discovered and learning the extent of a breach are not always the same thing. They may have had to arrange a third party to come in to search through (perhaps?) incomplete/scant datasets and correlate evidence of what was actually exposed (and maybe they cut costs there too).
Customers should have been informed, countermeasures should have been put in place to secure personally identifiable data, money should have been spent by Easyjet (hah!). I don't have a high opinion of Easyjet (hence this borderline rant) and maybe they didn't take this seriously enough, but there that is why I believe they may have delayed informing customers (crossing their fingers it was something insignificant).
-
-
Saturday 23rd May 2020 23:56 GMT gerryg
Never forget the Mandy Rice-Davies aphorism
They say no credit card or passport details were lost. I have no idea. Will the data they have lost be put in deep freeze until things calm down? The travel itinerary was largely irrelevant not least as the flights were cancelled so the burglar would have found me in. Reassuring messages from some bloke I have never heard of... "Well he would say that, wouldn't he?"
-
Sunday 24th May 2020 17:32 GMT Persona
Oh dear.
So the hackers also know about my flight EZY8223 to Valencia on 13th January, oh my. The hack could also explain why my credit card company issued me with a new card with a new number even though the old one was not due to expire. Whilst having to change card details here and there is mildly inconvenient it's certainly not going to stop me using EasyJet once they start flying again.
-
Sunday 24th May 2020 21:39 GMT vtcodger
Re: Oh dear.
There are a lot of folks out there who sincerely believe that personal details hacked from the Internet are a marketable entity of great worth. Credit card account info, yeah, I can believe there is marketplace in some dingy corner of the dark web where that can be sold for a tiny fraction of a Bitcoin. (How does one do that BTW? Bitcoins aren't pieces of eight that any fool could carve up with a chisel.) But who, in or out of their right mind, would pay for your travel itinery?
-
-
Monday 25th May 2020 09:42 GMT Persona
Re: Oh dear.
So you are thinking that a burglar is going to invest in travel plans to hopefully locate a victim somewhere within reasonable driving distance safe in the knowledge that the house can't possibly be occupied by relatives or lodgers just because someone from there is on holiday?
>99% of burglaries are opportunistic. The <1% that aren't wont be targeting EasyJet customers.
-
-
Tuesday 26th May 2020 14:28 GMT batfink
Re: Oh dear.
Dear Mr Codger - this is an important message regarding your Flight EZ986 from London to Barcelona, Booking Reference ZAJKYM.
Your flight has been cancelled, due to the ongoing Coronavirus restrictions. We apologise for any inconvenience this may have caused you.
Please click here for your refund.
Signed, your friendly Easyjet team.
-
-
-
-
-
Tuesday 26th May 2020 07:46 GMT Anonymous Coward
Thanks, I need a fake passport to take out a loan
Always good to be able to use real data on a fake passport, then that person is really on the hook and nobody will come after the scammer. Would you mind supplying your name as well, so I don't have to look it up in the data?
You don't mind paying my loan back when they come looking for you, right?
-
Tuesday 26th May 2020 11:14 GMT Persona
Re: Thanks, I need a fake passport to take out a loan
Don't be lazy: find it out yourself. Hint - if you want passport details, hotel reception staff are on not much more than minimum wage. No doubt £50 would get you photocopies of half a dozen passports. For a bit more you could also get the matching credit card details and address.
-
-
-
-
Tuesday 26th May 2020 07:52 GMT DCdave
I tried to put in a GDPR data request
To find out what the barstewards actually have, as opposed to what the email says they lost.
But of course, there is a Google-inspired "to make sure it's you, we need a copy of your ID card or passport".
WTF? You've lost my data, and now you want me to trust you with more so that you can pretend it's for security? Just how, exactly, are you going to verify that that copy I provide is valid in any way, especially if you are not storing my passport details like I requested?
-
Tuesday 26th May 2020 08:14 GMT Dan 55
Re: I tried to put in a GDPR data request
I have an account from ages ago and wasn't notified by EasyJet. I haven't flown with them in years and no flights appear in the flight history, so after trying and failing to find the button for deleting my account and reading that same nonsense instead, I just decided to fill it up with random data and point the e-mail address to mailinator.
-
Friday 29th May 2020 12:28 GMT Anonymous Coward
Re: I tried to put in a GDPR data request
Not an option for me, as I still have outstanding flights with them.
I didn't provide all of the correct data, and got a response from them to my new email address, changed after I was notified, saying they couldn't find anything under that email address and did I have another one? Have now supplied them with the old email address and will see what I get back.
-
-