British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.
The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.
How did the attackers manage to breach EasyJet?
EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.
They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.
Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.
“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.
“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”
Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:
— Alan Woodward (@ProfWoodward) May 19, 2020
It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.
Advice for affected customers
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.
Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.
“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.
“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”
The UK National Cyber Security Centre (NCSC) has advised affected customers to:
- Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
- Change their password on their EasyJet accounts (and other accounts that have the same password)
- Check if their account has appeared in any other public data breaches, and to
- Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.
- Tivium Ltd (a green deal energy company with a registered office in North London) has been prosecuted for failing to respond to an Information Notice issued by the ICO. The fine was
£5,000 with a £120 victim surcharge & prosecution costs of £489.85. The company appears to still be trading (apparently based in the North of England) but its website indicates that it is closed to new customers.
- The ICO has taken enforcement action against high street and online shoe retailer Office [Office Holdings Ltd, based in the City of London] after the personal data of over one million customers was left exposed due to a hacking incident. The reasons for the ICO action were:-
1. The ICO was informed on 29th May 2014 that a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website.
2. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords. However, the data controller has confirmed that it does not store customers’ bank details, so financial information was not compromised. Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
3. Office explained that there were several technical measures in place to minimise the risk of such an attack, although the hacker managed to bypass these measures to gain access to the legacy servers undetected.
4. Office has also confirmed that whilst penetration tests were carried out on the new websites before migration, only a single such test was completed on the old system, the results of which were not concluded or recorded, due to the legacy system being in the process of being decommissioned.
5. Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk.
6. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought. As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over cautious and not strictly required.
7. Amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned and a new hosting infrastructure is in place.
- An eye care company has been formally warned by the ICO to stop sending out nuisance text messages or face further action. The ICO has served an enforcement notice on Optical Express (Westfield) Ltd, after over 4,600 people registered concerns between September 2013 and April 2014. The concerns about the unsolicited messages were reported to the mobile networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing [this is a breach of Regulation 22 (2) of the Privacy & Electronic Communications Regulations 2003]. The Glasgow-based business which has branches across the UK had been sending out texts that included details of a competition to win free laser eye surgery.
- Pinsent Masons (a UK law firm) has published an article in Out-Law news and guidance entitled “Data Protection Officers – will EU businesses face an obligation to appoint one? The article gives a useful summary of the proposed Rules with regards to these Officers in the EU Data Protection Regulation, giving a good summary of the Commission’s view, the Parliament’s view and the (current) view from the
- Under the Council’s plans, no organisation would be under an obligation to appoint a Data Protection Officer (DPO) unless required to do so under other EU legislation or the national laws of individual EU member states. Instead, the Council said organisations “may” appoint a DPO and go on to list conditions that organisations electing to appoint a DPO would have to conform to. Many of the conditions are similar to those supported by the Commission and Parliament. They include that the DPO can act independently
- Pinsent Masons (a UK law firm) has published an article in Out-Law news & guidance entitled “US to create new data breach notification rules”. They reported that the US president Barack Obama had stated that US businesses will be required to notify consumers within 30 days that there has been a breach of the security of their personal data.
- Pinsent Masons reported that the proposal is part of a package of measures president Obama said are needed “…to protect the identities and privacy of the American people. We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused”
- Continuing with his Washington speech, president Obama stated; – “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply with this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans – even when they do it overseas”
- Clearly this new proposal will apply to Capita plc businesses (that process personal data) that are based in the USA. However, it will be interesting to see if these federal proposals help to ensure that Safe Harbour remains available to EU based businesses to transfer personal data to participating organisations in the USA. The future of Safe Harbour is currently under discussion between the European Commission and the US Department of Commerce.