easyJet Suffers Massive Data Breach of Sensitive Information

Have you been to Europe recently? Unfortunately UK-based budget airline easyJet announced on Tuesday that it had “been the target of an attack from a highly sophisticated source” that impacted over 9 million people.  To make matters worse, some of the information stolen in the data breach was very sensitive information.

“What is a data breach?”

A data breach is when information is exposed to someone who should not be able to see it. While most data breaches that you hear about in the news are related to passwords or credit card information being stolen by a hacker, a data breach can also include your personal information, health information, or proprietary information from your organization. These are all things that shouldn't fall into the wrong hands.

“Ok, but what does it mean for me?”

Data breaches can be tricky because you have to understand what has been taken, and how you can protect yourself from that information being used inappropriately. For example, if the news reported that passwords had been stolen from a website, you would change your password for that website. Or, if your credit card number gets stolen, you usually report it to your credit card company and receive a new one.  If you don’t take action though, this could lead to problems for you.

“What happened this time?

According to the notice from easyJet, the hackers were able to access a number of types of sensitive information. We won’t dive into the technical details of the data breach here since most of those were not disclosed, but the types of information exposed included:

• For 9 million people:

  • Email address

  • Travel details

• For about 2,208 people:

  • Credit card information, including CVV (the three digit code on the back of your card, which basically gives someone full access to using your card)

  • Passport information

“So what do I do?”

The key after a data breach is to focus on the sensitive information that was stolen, and what actions that you can take to mitigate the effects.  We’ve outlined the most important ones below, and what you should do right now.  easyJet has also said they will notify anyone who was impacted no later than May 26.

EMAIL

Your email has likely become an extension of your name at this point, so how do you protect it? Unlike your name you have a few options. Changing it doesn’t make sense since you’ll have to update your family, friends, and websites with your new address. Instead, make sure you stay alert for phishing emails (emails that try to trick you into doing something bad) since your email has probably been added to a spam list and you’ll be receiving more junk email soon.  You should also make sure that the password you use for your email is not the same password that was stolen during the data breach.

TRAVEL DETAILS

Unfortunately the term “travel details” outlined in the notice is vague.  Most likely this includes your flight itinerary (i.e. what airports you flew in/out of and flight numbers).  However it may also include other information you provide the airlines when you fly like your name, address, and contact information.  If it’s just your flight info, there’s not a lot you can do, but if the “travel details” end up including the additional information mentioned here, you’ll also need to take action on the following three items:

NAME

Unfortunately, there’s not a lot you can do to protect your name if it has been stolen in a data breach. Buying services like identity theft monitoring can help, but the best way is by freezing your credit. Check out our easy to follow guide for more information

ADDRESS

Unfortunately your address isn’t virtual and you can’t just “reset it.”  So what can you do?  Most likely no one is going to come visit you, but they may try to use your address to apply for a new credit card.

PHONE NUMBER

When your phone number is stolen, it usually gets added to a call list for scam calls. These could be fake calls from “the IRS”, “the Chinese Consulate”, “your boss”, or someone with “a great vacation offer.”  While the government and telephone companies are trying to figure out how to reduce the number of calls coming through (including the fake calls that come from your own number!), it’s best to not answer any call from a number you don’t know. If you do answer, be skeptical, and ask to call them back  on a number you know or that you can search for online (for a business).

CREDIT CARD NUMBER

In this case, it looks like only a small subset of the 9 million people had their full credit card information stolen.  According to easyJet, those impacted have been notified.  If you were notified, you should contact your credit card company and request a new card immediately. If you weren’t contacted, it’s worth keeping an eye on your credit card statements and purchases for any strange activity, and if you see some, call your credit card company immediately and report it.

PASSPORT INFORMATION

Similar to above, only a small subset of people had their passport information stolen. Having your passport stolen is bad because it’s an identifying document.  It could be misused from allowing someone to travel illegally, to applying for new credit.  Luckily the United States Department of State has an online form where you can report your passport stolen.  You can then apply for a new one immediately afterwards.

Finally, if you’re worried about staying on top of the latest data breaches, make sure to subscribe to the ACT Digest, where we’ll tell you about what’s going on in the cybersecurity world, and how you can protect yourself, your friends, your family, and your organization.

Follow us - stay ahead.

Read more of the ACT