European budget airline EasyJet has been hacked, with attackers making off with personal details for 9 million customers.
It was, the airline said, a “highly sophisticated attack” that exposed the email addresses and travel itineraries of the victims, along with payment-card information for 2,208 customers.
EasyJet CEO Johan Lundgren said that the effort overwhelmed what he characterized as the airline’s “robust” security profile.
“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information,” he said in a media statement. “However, this is an evolving threat as cyberattackers get ever more sophisticated.” He added, “Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems and our data.”
EasyJet said that it complied with regulations and reported the breach to the UK’s Information Commissioner’s Office (ICO), the watchdog responsible for information security. It’s also informing customers of the breach, it said, and has addressed the issue that allowed the attackers into their systems. There’s no word on the nature of that vulnerability — Threatpost has reached out for comment.
Affected EasyJet customers should be concerned over social-engineering attacks that could make use of the travel information to craft highly convincing emails bent on luring victims into clicking on a malicious link or attachment, or submitting more personal information via a phishing page.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams,” Lundgren said. “As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
Jeff Sakasegawa, trust and safety architect at Sift, noted that the issue comes at a particularly sensitive time for airlines as people restrict travel due to the coronavirus pandemic.
“Throughout this crisis, we’ve seen highly elevated fraud rates across the travel and transportation industry, as scammers continue to target carriers, hotels and aggregator sites despite lowered transaction volume,” he said via email. “The credit-card info exposed in this incident will very likely end up being sold through Dark Web marketplaces for pennies per card, and likely result in payment fraud attacks across a variety of websites. Travel merchants should be extra vigilant at this time and ensure they review all suspicious transactions in order to avoid costly chargebacks and penalty fees from payment providers.”
Loyalty card fraud is another potential follow-on issue.
“Phishing and credit-card information aside, gaining access to loyalty programs can make airline data breaches especially lucrative for attackers,” said Michael Reitblat, CEO and co-founder at Forter, via email. “Unlike consumer bank accounts and credit cards, loyalty programs typically aren’t well monitored by either the airline or the consumer. This makes air miles – a form of digital currency – an easy target. In fact, fraud attack rates against airlines increased by 72 percent last year. Credit monitoring is an important precaution, but customers should also monitor all airline loyalty accounts carefully to ensure fraudsters aren’t taking advantage of their miles.”
The airline industry is no stranger to data breaches, including high-profile incidents at British Airways and Cathay Pacific. BA for its part is facing a class-action lawsuit after exposing personal and financial details of a half-million customers, and was hit with a hefty $230 million fine last year. Cathay Pacific meanwhile was served an enforcement notice from the Hong Kong government last year, in the wake of “unauthorized personnel” accessing the personal data for up to 9.4 million passengers, including their passport numbers, along with a small amount of card information.
“We know by looking at recent breaches in the aviation industry the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries,” Richard Cassidy, senior director of security strategy at Exabeam, told Threatpost. “Attackers need credentials to access critical data — we can be certain of this — and often it is social-engineering techniques that reveal those credentials. Attackers then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this — as we are seeing here — it is then a case of packaging and exfiltrating critical data.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.