EasyJet data breach

Last updated

The EasyJet data breach was a cyberattack on the computer systems of British airline EasyJet. [1] [2]

Contents

Discovery

EasyJet first learned of the cyberattack at the end of January 2020. [1] [2] Approximately nine million people were affected with the credit card details of 2,208 also accessed. [1] EasyJet notified the Information Commissioner's Office while they were investigating the breach. [1]

Public admission

EasyJet publicly revealed the attack in May 2020. [1] They told the BBC that they were only able to notify customers whose details (credit card or email addresses) were stolen in April 2020. [1] EasyJet told BBC "This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted". [1] They also said "We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed". [1]

The affected data covers flight bookings made from 17 October 2019 to 4 March 2020. [2]

The stolen credit card details include the card security code. [1]

EasyJet said they had gone public to notify the nine million customers whose email addresses had been accessed to beware of phishing attacks and that it would notify everybody by 26 May. [1] Passengers whose credit card details were accessed were notified in April. [2] They did not reveal details of the attack but said it seemed to be aimed at "company intellectual property" rather than information that could be used in identity theft. [1]

EasyJet was not obliged to notify passengers whose basic booking details were compromised but they announced the details because of an increase in phishing attacks during the COVID-19 pandemic. [2] Passport details were not accessed. [2]

The Information Commissioner's Office said they were investigating. [1] The ICO said "People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary". [1]

GDPR requires companies to store personal details securely and EasyJet could face fines from the ICO of 4% of the airlines' turnover in 2019. [2]

See also

Related Research Articles

<span class="mw-page-title-main">Phishing</span> Attempt to trick a person into revealing information

Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cybercriminals, the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Social engineering (security)</span> Psychological manipulation of people into performing actions or divulging confidential information

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.

A spoofed URL describes one website that poses as another website. It sometimes applies a mechanism that exploits bugs in web browser technology, allowing a malicious computer attack. Such attacks are most effective against computers that lack recent security patches. Others are designed for the purpose of a parody.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

The Department of Revenue is a department of the South Carolina state government responsible for the administration of 32 different state taxes in South Carolina.

The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to turn off the PlayStation Network on April 20. On May 4, Sony confirmed that personally identifiable information from each of the 77 million accounts had been exposed. The outage lasted 23 days.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165.

The Internet service company Yahoo! was subject to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

Charming Kitten is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

In 2018 there was a data breach that affected 380,000 to 500,000 customers of British Airways.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

The 2021 Air India cyberattack was a cyberattack that affected more than 4.5 million customers of Air India airlines.

The Epik data breach occurred in 2021 and targeted the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 Wakefield, Jane (19 May 2020). "EasyJet admits data of nine million hacked". BBC News . Retrieved 20 May 2020.
  2. 1 2 3 4 5 6 7 Calder, Simon (19 May 2020). "EasyJet hack: what does it mean for me and my personal data?". The Independent . Retrieved 20 May 2020.