Security experts have warned that the personal details of millions of easyJet customers could be sold on the dark web, after they were were “accessed” by hackers during a cyber attack.
Around nine million people were caught up in the breach, of which over 2,200 customers had credit card information taken. The budget airline has not revealed the full extent of the breach and it is not yet clear whether the compromised data includes CVV numbers (the three-digit code on the back of credit cards) and expiry dates, which would give hackers freer means to use the cards.
It is also currently unclear how hackers managed to breach the airline’s systems. The company said it is working with the Information Commissioner’s Office (ICO) and National Cyber Security Centre to get a better understanding.
“There is no evidence that any personal information of any nature has been misused,” the airline said in a statement. “We are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
Why was easyJet targeted?
This is not the first time that an airline has suffered a cyberattack; in 2018, cyber-criminals stole payment card details from an estimated 500,000 British Airways passengers. Delta and Cathay Pacific were both targeted the same year.
Netscout, a company which provides application and network performance management products, said that attacks against airlines throughout 2017 and 2018 increased by more than 15,000 per cent, for a number of reasons.
“Airlines may be specifically targeted at the moment because criminals know they will be vulnerable and their focus and priorities on remaining in business, however, traditional enterprises like airlines have always been an attractive target since few are digital first businesses and therefore have relied on legacy software, which is more likely to be out of date or have existing vulnerabilities that can be exploited,” said Alice Collins, from bug bounty business HackerOne.
The view is shared by James Smith, head of penetration testing at Bridewell Consulting. “Airlines hold valuable personal information [that] could all be used by criminal organisations to commit identity fraud or further phishing campaigns as part of a larger operation,” he said. “Even the barcode on someone’s airline ticket is a route into gaining personal data.”
How valuable is personal information to hackers?
When British Airways was hacked, cyber security experts said that customer information would be published on the dark web – a part of the internet not available via traditional search engines that is used to sell personal information, illicit substances, weapons, and other illegal products – and that such details can sell for upwards of £50 in the right circumstances.
However, those numbers are not set in stone, and experts will be able to make more accurate estimations when more information about the hack is revealed. “While it is hard to conclusively state an exact price these data will fetch in the Internet’s illegal markets, credit card details can be exchanged for as low as £10, while in the aftermath of 2018’s British Airways hack, stolen logins sold for as little as £7,” said SonicWall’s VP EMEA Terry Greer-King, who also said that personal information changes less often than bank information and therefore “drives a higher price on the dark web.”
While the fact that news has broken about the breach is likely to make it less attractive it will still be of a certain value to those wanting to use stolen credit card information. “Some criminals keep the data for personal use or for use within organised crime, it could also be used in a ransom scenario or sold on the dark web. At present, is too early to tell what has happened with the EasyJet’s customers’ data,” said James Smith.
Who, or what, caused the breach?
The British Airways hack has been attributed to Magecart: A group of hackers who use web-based card skimmers (hidden inside ATMs, fuel pumps, and websites) to steal card information, says RiskIQ, which published details tracking the British Airways hackers’ strategy.
Professor Alan Woodward of the University of Surrey, who specialises in computer security, hypothesised that the breach could be a similar affair due to the low number of card details left accessible. “So either credit card details [were] not encrypted or it’s Magecart again. I can’t see why they’d leave only 2,000 cards unencrypted, so suggests Magecart,” he said.
Whether or not it was Magecart, the amount of personal information that was left available is troubling. “While easyJet has reported that there’s no evidence that the accessed data has been misused, no one can be certain that the data won’t be misused in the future,” said Boris Cipot, a senior security engineer at Synopsys.
Malicious individuals could use that information themselves, or use it as a means to get more valuable information by phishing customers – pretending to be a trustworthy body to make their victims hand over more data. By using customer names, mobile numbers, or home addresses, the hackers could pretend to be a building society and attempt to gather more sensitive logins such as banking information, for example.
“The additional threat at the moment to customers is that they will be expecting communications from the airlines regarding any upcoming travel and therefore more likely to be taken in by a malicious email posing as Easy Jet so any customers who are expecting communications from easyJet should be extra vigilant that the email comes from the legitimate source and not to click on any links that seem suspicious or ask for personal information,” Collins also advised.
What should customers do?
Customers that are affected should be contacted by easyJet no later than 26 of May, yet those who want to be safe should change easyJet passwords, ensure that they are not using the same password for multiple websites, and monitor their credit cards for suspicious activity.
“While the investigation is ongoing, and the real scope is not yet clear, it is still important for easyJet customers to change passwords, monitor activity on their credit card accounts and be aware of any phishing emails. If any suspicious purchase activity on the account occurs, it makes sense to cancel and reissue their card,” said Matt Middleton-Leal, a General Manager at private IT security software company Netwrix.
Following the British Airways hack, the ICO levied a fine against them for £183m under General Data Protection Regulation (GDPR), which states that an organisation that does not protect customers’ data can be fined up to 4 per cent of annual global revenue. The average total cost of a data breach is approximately £3.2m.
We have reached out to the ICO and easyJet for further details of the breach and whether a similar fine will be issued to the airline.