EasyJet, the U.K.’s largest airline, has recently admitted to experiencing a fraudulent attack to their online booking systems, with hackers accessing the travel details of over 9 million customers. Compromised data consisted of information used for booking holidays, including name, email address, origin and destination, departure date, booking reference number and transaction amount.
Around 2,208 customer credit card details were also accessed, with compromised data including the three digit security code on the back of the card – known as the CVV number.
EasyJet first became aware of the attack in January, but has only recently gone public in order to warn the nine million customers whose email addresses had been stolen to be wary of phishing attacks. They said that it would notify everyone affected by the 26th of May.
The coronavirus pandemic has crippled the majority of global travel, leaving airlines struggling financially. Mike Fenton, chief executive of threat detection firm Redscan, said:
“These are already turbulent times for all companies within the aviation industry but the situation has just got significantly worse for EasyJet. When it comes to cyber security, the airline industry doesn’t have a great record. The British Airways breach in 2018 should have been a wake-up call and passenger confidence is likely to be at an all-time low after this.”
British Airways announced that the personal details of more than half a million of its customers had been harvested by hackers in September 2018. They were issued a £183m fine over the breach, but with compensation pay-outs to customers, financial damage to the organization could reach £3bn. Read more
Terry Greer-King, vice-president of sales in Europe at SonicWall said:
“Attacks such as the one on EasyJet should remind CTOs, CIOs and CISOs to implement security best practices like a layered approach to protection, and update any out-of-date security devices, applications or systems as a matter of course. Businesses should be working very closely with their security providers to gain a clear and real-time picture of security risks and the impact they could potentially pose to their organization.’’
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. These have risen exponentially during the coronavirus crisis, with Google blocking more than 100 million phishing attempts every day to Gmail users.
Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as credit card numbers, social security numbers, account numbers or passwords. These attacks are at the heart of many of today’s most serious cyberhacks and can put your business and your customers at risk.
The Potential Impact
Under GDPR rules, if EasyJet are found to have mishandled their customer’s sensitive information, they could be issued a hefty fine from the Information Commissioners Office (ICO) of up €20m (approximately $22 million) or 4% of turnover, whichever is greater. This strongly highlights the need for organizations to adopt best practice on data security across their entire corporate infrastructure and processes, not just for accepting payments.
Moreover, it can not only cause financial losses, but reputational damage also, with customer losing trust and avoiding their services.
How to Protect Valuable Customer Data
All types of fraudulent activity can have a huge impact on any business, but there are ways of reducing the risk, and possibly avoiding compromised data completely. Best practice suggests taking any sensitive information “out of scope”, removing it from the corporate network and environment. For customer payment details, this can be done using a third-party payment solutions provider, such as Key IVR, who offer an industry leading PCI-DSS Level 1 secure payments service that processes valuable card details safely and securely.