By Jack Stubbs and Kate Holton
LONDON (Reuters) – Chinese hackers are suspected of accessing email and travel details of about nine million easyJet customers, said two sources familiar with the investigation into a cyberattack disclosed by the British airline on Tuesday.
The sources said the hacking tools and techniques used in the January attack pointed to a group of suspected Chinese hackers that has targeted multiple airlines in recent months.
The news of the data breach could result in a hefty fine for the budget airline, which has already been forced to ground its flights because of the COVID-19 pandemic and is battling its founder and biggest shareholder in a long-running dispute over the carrier’s business strategy.
An easyJet spokeswoman declined to comment on who was responsible for the attack and Reuters could not determine on whose behalf the hackers were working.
The Chinese embassy in London did not respond to a request for comment. Beijing has repeatedly denied conducting offensive cyber operations and says it is frequently the victim of such attacks itself.
Johan Lundgren, easyJet’s chief executive, said there was heightened concern about personal data being used for online scams as more people worked from home because of the COVID-19 pandemic.
“As a result, and on the recommendation of the ICO (watchdog), we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications,” he said.
TARGETING TRAVEL RECORDS
The sources, who spoke on condition of anonymity because of the sensitivity of the matter, said the same group of hackers had previously targeted travel records and other data to track the movement of specific individuals, as opposed to stealing credit card details for financial gain.
“Interest in who is travelling on which routes can be valuable for counter-intelligence or other tracking of persons of interest,” said Saher Naumaan, a threat intelligence analyst at BAE Systems, who has investigated similar attacks.
EasyJet said that credit card details of more than 2,000 customers had also been compromised but it did not look like any personal information had been misused.
The company said it had engaged forensic experts to investigate the issue and also notified Britain’s National Cyber Security Centre (NCSC).
An NCSC spokesman said: “We are aware of this incident and have been working with easyJet from the outset to understand how it has affected people in the UK.”
Britain’s Information Commissioner’s Office (ICO) said it was also investigating the attack and urged anyone affected by data breaches to be particularly vigilant for phishing attacks and scam messages.
“People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary,” it said.
The ICO protects information rights and has the power to impose fines.
British Airways, owned by airlines group AIG, is still appealing against a 183.4 million pound ($225 million) fine it received from the ICO after hackers stole credit card details of hundreds of thousands of its customers in 2018.
EasyJet shares, which have lost 64% of their value in three months, were down almost 1% at 1640 GMT.
($1 = 0.8167 pounds)
(Additional reporting by Michael Holden; Editing by Mark Potter, David Goodman and Jon Boyle)