easyJet confirmed that it has been a victim of data breach, where the hacker gained access to nine million customers’ email addresses and travel details. Additionally, 2,208 credit-card details were also compromised. The company has yet to disclose when and how the breach occurred. It has alerted the UK’s Information Commissioner’s Office and National Cyber Security Centre (NCSC) as well as hired an expert to look into the breach.
Airports and airlines are increasingly reliant on technology and the global aviation industry is more connected than ever before, making these companies much more susceptible to cyberattacks. Research from ImmuniWeb found that 97% of the world’s top airports failed the cybersecurity posture test administered by the firm. Unfortunately, this data breach impacting easyJet passengers illuminates how many organizations’ cybersecurity and compliance practices are reactive.
To properly protect customer data, airlines and all organizations must transition to more advanced, proactive security measures. Companies should follow the principle of least-privileged access when provisioning identity and access management (IAM) permissions by providing checks to restrict identities from being able to access more than they are granted in their systems. This can be accomplished by employing automated security tools that continuously protect systems and servers from IAM vulnerabilities, as well as misconfigurations, policy violations, and other threats to ensure holistic security and compliance. Additionally, organizations should implement multi-factor authentication (MFA) for all users, securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles.”
The airline industry is an extremely attractive target to cybercriminals, as they can collect and store personally identifiable information (PII) on billions of passengers every year, including passport numbers, credit card information, email addresses and much more. In this easyJet incident, millions of passenger email addresses and travel details, along with thousands of credit card numbers were compromised. Although the airline stated that there is no evidence of the data being misused, bad actors could leverage this information to launch sophisticated phishing attacks against those impacted to gather even more sensitive. Additionally, hackers could sell or leak the credit card information on the dark web for others to commit financial fraud.
It’s unclear at this time how the hackers infiltrated easyJet’s systems, but the company says it was a ‘highly sophisticated’ attack, illustrating that cybercriminals are constantly advancing their attack methods. As such, companies must have full visibility and control over their data by implementing tools that detect and remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information
This data breach is another sobering lesson that should serve as a warning to forward-looking cybersecurity leaders. Security teams need to know who is in their environment, what they have access to and what they are doing. Too many organizations continue to operate in a gray area of unknown risk. Addressing this challenge requires an accurate and timely measurement of the risks that lurk in those gray areas.
Conventional cybersecurity products are good at detecting and blocking known threats. But it’s the unknown security threats that organizations must defend against. Monitoring for cyberattacks after the fact is too late. However, behavior analytics solutions use machine learning algorithms to detect anomalous activities before an attacker can strike, helping keep organizations secure against modern threats
This is a difficult time for airlines and a data breach isn’t going to help with regaining customers’ trust. EasyJet will quickly need to explain why it has taken so long since January to announce this and why the affected customers have still not been informed. The fact that it has been working with ICO and NCSC is reassuring, and hopefully this will reduce any potential GDPR fines, but either way this is not going to do its business any favours.
Airlines can be a lucrative target for hackers as they are a treasure trove of personal information. They are very well known brands with critical missions of safety, compliance and keeping to schedule, so attackers would see them as likely to pay out large sums in a ransomware or other extortion scenario. As a result, robust security measures need to be put in place across the industry to reduce the risk of future attacks being successful.
With the travel industry already facing mounting criticism as thousands of customers struggle to receive refunds in the wake of the coronavirus pandemic, news that nine million EasyJet customers have had their personal information exposed is another damaging blow to the airline.
Although EasyJet has said that there is no evidence any customer data has been misused, the fact that over 2,000 customers have had their credit card details exposed is disastrous. Customers could fall victim to identity theft and serious financial fraud. As advised by the ICO, contacting those who may have been affected is the first step for EasyJet, but the company will have to do much more to regain their trust.
In 2018, competitor airline British Airways was penalised for a data breach affecting half-a-million customers. The ICO announced its intentions to issue the airline a record-breaking fine of £183 million, which is in addition to possible compensation pay-outs for customers that could reach up to £3 billion. With EasyJet’s data breach affecting many more customers, it too could face significant fines and compensation claims.
The exact size of the fine will become clear as more details are revealed. However, in accordance with the GDPR, the airline could face a penalty of up to 4% of its annual worldwide turnover of the preceding financial year. It is impossible to determine yet whether or not there has been negligence but, if so, consumers could be eligible to claim compensation, raising the financial penalty imposed on the airline significantly.
At this stage, it’s not clear how the hackers managed to gain access to EasyJet’s systems. However, with the disruption caused by COVID-19, we have seen a notable increase in attackers targeting all sectors, including travel, to take advantage of the reduced resources and focus on cyber security.
Despite the current climate, technical defence is still paramount, and in particular, regular penetration testing is vital, particularly in the current remote environment many business are operating in. All organisations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public facing system. These are not silver bullets but can go a long way to improving security.
Transparency is key in maintaining customer trust, especially for firms like EasyJet in the travel industry. The company needs to inform customers about the breach and implications quickly, even if no data has been misused. This is especially important in light of the current COVID-19 situation where security concerns are particularly heightened.
Passengers have to trust that airlines are securing their Personal Identifiable Information when they book with them, but a breach of this magnitude breaks that trust. In many cases, we are still seeing misconfigurations/human errors commonly used by attackers to exploit victims with misuse of encryption often compounding the effects of human error in each type of breach. Allowing the information of about 9 million customers to be breached is a huge error, especially considering that the credit card details of more than 2,000 customers were also compromised.
Our research has seen a rise in COVID-19 themed malware targeting users. EasyJet customers should be especially vigilant of any correspondence that requires action. This breach could have catastrophic consequences such as identity theft, ransomware being downloaded to personal devices that are being used for corporate purposes. We will most likely see a series of phishing attacks targeting EasyJet customers in the near future, so all customers should be on the alert for suspicious activity.
Transportation as part of critical national infrastructure is a tempting target for nation state threat actors and cybercriminals alike. Whilst EasyJet characterise this attack as coming “from a highly sophisticated source” we’ve yet to see details that corroborate the sophistication or attacker attribution. It may well be the case that, like the British Airways attack, they’ve had a web application compromised which has been used to gain unauthorised access. As 9 million customers’ data has been accessed, it is a significant breach. Even if EasyJet were found to be significantly accountable by the ICO I doubt there would be much appetite for a big GDPR fine when the sector is already on its knees and close to collapse for some airlines.
9 million user records and just 2 million credit card details seem to be just a tiny percentage of the total number of EasyJet customers. This may be an indicator that either the attack affected an isolated server or probably a supplier, or that it was quickly detected stopping data exfiltration process of the attackers.
The scant volume of currently disclosed information about the data breach is, however, insufficient to make definitive conclusions about the origins and potential consequences of the attack. In any case, it will likely be difficult to avoid financial penalties under the GDPR, but depending on the negligence involved in the cause of the incident, the fine may be rather nominal than exemplary punitive.
Affected customers should urgently contact their banks to consider credit card cancellation and re-issue process.
So many organisations and businesses are facing threats to their very existence at the moment that cyber threats almost pale into insignificance compared to the other challenges. However, cybercriminals will take advantage of anyone taking their eye off the ball and could well be targeting industries and companies they think are struggling, knowing that budgets will be cut and focus will be elsewhere. Staying vigilant to any vulnerabilities that could provide an entry point to these opportunists needs to remain a priority – for the price of a bounty paid to a hacker for reporting anything they find, companies could save themselves far more than if a hack leads to fines and loss of trust that will cost them at a time they really can\’t afford it.
Although not sufficient enough to commit Identity Theft or Financial Fraud on its own, the theft of emails and travel plans could be used to launch phishing campaigns against the affected individuals. Combined with other personal information scraped from public social media profiles, these stolen emails can be customised and crafted to target the individual, thereby increasing the likelihood that the victim will be induced to provide passwords or sensitive account access.
In addition, sensitive accounts might be at risk as email account passwords can be obtained in the Dark Web and many users reuse passwords across multiple accounts. The use of multi factor authentication and practising proper password hygiene is a necessary step to best avoid account takeovers which may lead to Identity Theft or Financial Fraud – in addition, putting in place a credit freeze will also greatly reduce the chances of identity theft.
Airlines are already struggling in the face of the challenges generated by the COVID-19 pandemic so this is more bad news for the industry.
All personally identifiable information can be valuable if it falls into the wrong hands, and in this case credit card details of EasyJet customers were stolen.
It seems like EasyJet have followed correct procedures by notifying the customers who were affected and publicly warning the nine million people whose email addresses had been stolen but if organisations want to stay in business then they must prioritise security and protecting their data and if they cannot attract and retain cybersecurity professionals, then they must partner with trusted partners who can support them in delivering trusted security platforms and expertise services.
Attackers know that many organisations are not taking a strong enough stance when it comes to access security. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRM.
Users should follow EasyJet security requirements for access and use of their online account services. I recommend taking the time to carry out a review of all your other online account and if any of your online accounts use the same credentials including password as your EasyJet account –change it immediately and apply-two-factor authentication where possible.
This last thing that the travel industry needed right now was a data breach of this size and scale. However you look at it, nine million customers with their data breached is not a good look and the true cost of this to EasyJet is yet to be revealed. Such breaches occur with depressing regularity now, yet organisations do not seem to think it will happen to them – until it does.
Effective cyber security is not just a question of investing in the latest software, it’s about that combination of people, processes and technology. If an organisation is lacking any one of these three, then they will be vulnerable. People use budget airlines in their millions and accept that certain elements of the experience will be different to other airlines. Whether that acceptance extends to having their personal information hacked, is another question.
Not for the first time an airline company has fallen prey to a data breach. The valuable haul of personal information they hold is a magnet for cyber criminals which means, sadly, it probably won’t be the last.
As attackers become more sophisticated and attacks continue to evolve, cyber security teams newly adjusted to remote working are experiencing unusually high levels of threat alerts. Brute force attacks against firewalls, VPNs and Remote Access Servers, in particular, have skyrocketed during the Covid-19 pandemic.
Cyber security teams are crying out for tools that take account of an organisation’s risk profile and automatically place security alerts into context. Armed with this intelligence they are much better equipped to take informed decisions and respond more rapidly to serious security incidents.
A lot of people are missing the potential big picture impact of the EasyJet breach and the risk it could pose to other enterprise or government organizations. Of course the individuals impacted should heighten their cybersecurity awareness and take steps to further protect themselves – but the organizations these nine million people work for need to be vigilant too. One thing we noticed from past breaches at places like American Airlines and the U.S. Office of Personnel Management is that the goal was to get information that can be used by nation states or other groups for blackmail, further hacking or other malicious campaigns. If this attack was carried out by a sophisticated group that was more interested in EasyJet’s intellectual property than it was in stealing personal customer information – like the company has suggested – this is a very likely scenario. The personal information these attackers have gained provides a huge strategic advantage where they can prioritize high value target organizations and agencies with phishing tactics that leverage an extensive amount of personal data.
There is enough personal information in the stolen records to make those people targets for identity theft and fraud. Hackers are likely to trade the stolen data as well as trying to trick customers into revealing further personal details using targeted phishing emails.
It’s just a numbers game for hackers, as they can easily send tens of thousands of emails in the hope of tricking a handful of customers. Customers affected should be suspicious of any emails or even phone calls that relate to the breach, no matter how plausible, and should not give away more personal information. They should also be vigilant for suspicious credit-card transactions. We have seen a sharp increase in phishing attempts and cyber-attacks over recent weeks, with many related to the Covid-19 pandemic. I would not be surprised to see further attacks launched using this stolen data.
These uncertain times have given rise to a new cadence of cyber attacks facing organisations, and hackers are increasingly targeting vital industries which may have become more vulnerable due to COVID-19. Unfortunately, new remote working conditions combined with IT and security budget constraints, has meant organisations are facing unprecedented levels of cyber attacks.
The EasyJet data breach means millions of customers’ passwords and email addresses have been leaked, and therefore it is of the utmost importance that these customers change their log-in credentials for all platforms which also utilise these passwords. Moving forward, it is also essential that multi-factor authentication steps are implemented on all personal and professional devices and accounts, and organisations must implement privileged access management security protocols so that hackers are stopped in their tracks. It’s worth remembering that it’s no longer ‘business as usual’ for organisations across the world, but for cyber criminals it’s just another day in the office.
Cyber criminals are opportunistic and immoral, and have increasingly targeted large, small and medium-sized organisations with a plethora of sophisticated scams, malware, phishing and hacking attacks, hoping to capitalise on their weakened state as a result of COVID-19.
Unfortunately, the influx of new and personally-owned devices into an ever-increasing remote workforce has expanded the window of opportunity for cyber attackers – providing them with a much larger range of devices and untrained remote workers to target.
Ensuring an attack of this scale does not happen again requires a concerted effort across all levels of an organisation. This starts with implementing comprehensive and resilient endpoint security which enables IT managers to remotely identify, secure or disable any potentially vulnerable devices belonging to their organisation, whether or not they are connected to the corporate network, all from the safety of their own home.
Now more than ever in the current WFH environment, individuals and enterprises should replace passwords with user identity certificates. PKI-based identity certificates make life much easier for employees by eradicating the burden of remembering, updating, and managing passwords.
Another proactive step enterprises should take is to replace multi-factor authentication with no-touch authentication. Unlike hardware-token multi-factor authentication (MFA), or SMS-based MFA, digital certificates simplify the employee experience by easing the burden of security when a workforce is remote.
Enterprises should also be proactive in automating the issuance of all identity certificates, enabling IT security teams to issue, revoke, and replace certificates quickly, reliably, and at scale, while alleviating their management burden.