It wasn't just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline. As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet …
So BA didn't scrimp on security or the majority of other companies who've been hacked?
Airlines are the target of nation state actors as not every country is allowed access to passanger lists for "vetting"..the security budget is not unlimited.
Not being funny, but I get the feeling you don't manage security :)
This post has been deleted by its author
Depends on how far up the Corporate ladder you are. Those at the top seem to do very well. Consumers and those at the bottom - not so much.
And as those at the top are the ones that seem to be in control.
Having said that, whatever the political system, its the ones holding onto the power who benefit the most.
Yes, but that is classic O'Leary. He will not part with as much as a penny without a fight - after all, that one-way traffic is what made him rich.
I suspect his next scam trick will be high admin charges on refund as high as the value of the refund, or only validating refund vouchers if they're printed in llama blood on the skin of a Yeti. He's going to make it impossible to get your money back, I expect him to keep doing that even while he's taken to court for it.
This isn't the first time Stelios has forced an EGM to be held, as he does like to throw tantrums from time to time. He basically thinks he always knows better than the EasyJet board - sometimes he might be right, but trying to throw his weight [vis his large shareholding] around like this just makes him look petty and vindictive.
So, when did EasyJet inform the ICO?
From memory, under the DPA 2018 they have 72 hours to refer themselves after discovering the breach which doesn’t seem to fit with an announcement this week of a hack that occurred a couple of months ago and which left customers vulnerable to fraud.
A spokesman for EasyJet said the airline notified the ICO, which it is obliged to do within 72 hours of discovering a breach, in January.
https://www.telegraph.co.uk/technology/2020/05/19/easyjet-hit-highly-sophisticated-cyber-attack/
I think that doesn't mean the ICO needed to make it public, it may help the investigation not to do so immediately.
This post has been deleted by its author
That in the circumstances, any non-UK based EU-resident customers can take up the matter directly with their own national data protection office, in light of the concerns raised by the ICO's (non-)handling of this matter (and numerous others).
Also, I haven't checked which legal entity is responsible for the data. EZY being spread over a number of countries, it is possible it is not even a UK entity.
Their privacy policy has some weasel words about GDPR and references to Swiss law but I can't see how it would escape the clutches of GDPR thankfully :)
This bit of their privacy policy left me laughing my head off -
"Furthermore, easyJet is a PCI DSS compliant organisation. This means that we adhere to high security standards in order to protect your payment card details when you are sending us this information.
The information that you provide to us will be held in our systems, which are located on our premises or those of our appointed suppliers.
As described in this Privacy Policy, we may in some instances disclose or allow access to your information by third parties who act for us for the purposes described in this policy or for other purposes approved by you. Where these third parties process your personal data on our behalf, we require that they have appropriate technical and organisational measures in place to protect this data."
> the information included the CVV, which I think means that Easyjet are not PCI DSS compliant.
That depends on if they were stolen from Easyjet's systems. Speculation appears to be that it was malicious code inserted into the website that siphoned off the details client-side.
As soon as we became aware of the attack, we took immediate steps to manage and respond to the incident, closing off the unauthorised access. We engaged leading forensic experts to investigate the issue and we also notified the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
Which sounds remarkably like "as soon as we aware of the pandemic we took the right measures at the right time and followed the scientific advice". He even adds:
You do not need to take any action apart from continuing to be alert.
It's almost as if Dominic Cummings was moonlighting for Easyjet during his little sojourn at his parents' house. If so, he can credit himself on devising the universal platitude for all crises.
I'm assuming in my naivety that the customer details were stored in an encrypted database but the hackers got the decryption keys, so were able to do a bulk data slurp.
Is it really not possible to design a system that only allows access to one customers record at a time? With some sort of technology (e.g. like a captcha) to prevent a bot from accessing successive records incrementally even within the company intranet? What technology do the police use for accessing criminal records?
The challenge is if a bad actor gets in and has the credentials / tokens / keys etc. to access the data then encryption is not enough. There needs to be monitoring in place to detect bad behavior and either automatically shut it down or alert a team that should respond immediately.
>What technology do the police use for accessing criminal records?
I Norway we have centralized login: http://www.idporten.no/ where there are 3 different providers and 6 different 2FA ways to authenticate. This login-service is used to access any official records by customers and internals alike. It covers usb-sticks, smartcards and login tokens and soon yubikey fido2 devices. Its govern by an own governmental directorate https://www.difi.no/
Soon a service that scans your passport will come alive. It will take you from zero legitimation level to top in one go. Making the onboarding fully digital and much faster.
Each provider need a lot of independent backend services from various other providers, so it means compromising one wont compromising the entire chain.
Database system are designed to be as fast as possible, not to impose delays. You need to understand that there is not just one terminal (aka PC) making requests to the database, there are hundreds, if not thousands. You have the hostesses in the airports, registering luggage, you have travel agents querying the best way for their customer to travel, you have people on the Internet looking it up for themselves, and there is probably a bunch of other possible ways to send demands that I haven't the foggiest idea of.
If you create a system where only one request can be served at a time, you are basically choking the whole system beyond usability and the whole thing collapses.
This post has been deleted by its author
Going to have to hypothise, but the time taken for a hack to be discovered and learning the extent of a breach are not always the same thing. They may have had to arrange a third party to come in to search through (perhaps?) incomplete/scant datasets and correlate evidence of what was actually exposed (and maybe they cut costs there too).
Customers should have been informed, countermeasures should have been put in place to secure personally identifiable data, money should have been spent by Easyjet (hah!). I don't have a high opinion of Easyjet (hence this borderline rant) and maybe they didn't take this seriously enough, but there that is why I believe they may have delayed informing customers (crossing their fingers it was something insignificant).
They say no credit card or passport details were lost. I have no idea. Will the data they have lost be put in deep freeze until things calm down? The travel itinerary was largely irrelevant not least as the flights were cancelled so the burglar would have found me in. Reassuring messages from some bloke I have never heard of... "Well he would say that, wouldn't he?"
So the hackers also know about my flight EZY8223 to Valencia on 13th January, oh my. The hack could also explain why my credit card company issued me with a new card with a new number even though the old one was not due to expire. Whilst having to change card details here and there is mildly inconvenient it's certainly not going to stop me using EasyJet once they start flying again.
There are a lot of folks out there who sincerely believe that personal details hacked from the Internet are a marketable entity of great worth. Credit card account info, yeah, I can believe there is marketplace in some dingy corner of the dark web where that can be sold for a tiny fraction of a Bitcoin. (How does one do that BTW? Bitcoins aren't pieces of eight that any fool could carve up with a chisel.) But who, in or out of their right mind, would pay for your travel itinery?
So you are thinking that a burglar is going to invest in travel plans to hopefully locate a victim somewhere within reasonable driving distance safe in the knowledge that the house can't possibly be occupied by relatives or lodgers just because someone from there is on holiday?
>99% of burglaries are opportunistic. The <1% that aren't wont be targeting EasyJet customers.
Dear Mr Codger - this is an important message regarding your Flight EZ986 from London to Barcelona, Booking Reference ZAJKYM.
Your flight has been cancelled, due to the ongoing Coronavirus restrictions. We apologise for any inconvenience this may have caused you.
Please click here for your refund.
Signed, your friendly Easyjet team.
Always good to be able to use real data on a fake passport, then that person is really on the hook and nobody will come after the scammer. Would you mind supplying your name as well, so I don't have to look it up in the data?
You don't mind paying my loan back when they come looking for you, right?
Don't be lazy: find it out yourself. Hint - if you want passport details, hotel reception staff are on not much more than minimum wage. No doubt £50 would get you photocopies of half a dozen passports. For a bit more you could also get the matching credit card details and address.
To find out what the barstewards actually have, as opposed to what the email says they lost.
But of course, there is a Google-inspired "to make sure it's you, we need a copy of your ID card or passport".
WTF? You've lost my data, and now you want me to trust you with more so that you can pretend it's for security? Just how, exactly, are you going to verify that that copy I provide is valid in any way, especially if you are not storing my passport details like I requested?
I have an account from ages ago and wasn't notified by EasyJet. I haven't flown with them in years and no flights appear in the flight history, so after trying and failing to find the button for deleting my account and reading that same nonsense instead, I just decided to fill it up with random data and point the e-mail address to mailinator.
Not an option for me, as I still have outstanding flights with them.
I didn't provide all of the correct data, and got a response from them to my new email address, changed after I was notified, saying they couldn't find anything under that email address and did I have another one? Have now supplied them with the old email address and will see what I get back.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
