EasyJet, the low-cost airline based in England, said on Tuesday that it was the target of a “highly sophisticated” cyberattack that exposed the email addresses and personal travel plans of about nine million customers, and that some had their credit card details stolen.
The airline said in a statement that as soon as it became aware of the attack, it took immediate steps to manage and investigate it, and closed off the breach. The company said the investigation showed that the credit card details of 2,208 customers were breached.
Customers whose personal information is at risk would be contacted by May 26, the airline said.
Passport information was not affected, it said.
“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information,” easyJet’s chief executive officer, Johan Lundgren, said. “However, this is an evolving threat as cyberattackers get ever more sophisticated.”
Since the spread of the coronavirus, there has been heightened concern that stolen personal data could be used for online scams, Mr. Lundgren said. The airline advised customers “to be extra vigilant, particularly if they receive unsolicited communications.”
The airline said it was in contact with the National Cyber Security Centre, a British government organization that helps companies avoid computer security threats, and the Information Commissioner’s Office, the British agency in charge of reviewing data breaches.
While other security breaches have been much larger, such as one that revealed the details of 50 million Facebook users, airlines are enticing targets because of their large stores of information on people’s identities, credit cards and travels.
In 2018, Cathay Pacific, the Hong Kong-based airline, said its computer system had been compromised, exposing the personal data and travel histories of as many as 9.4 million people. Delta Air Lines said that year that customer payment information had been exposed after a security breach at a company that provided online chat services for it.
In 2019, the Information Commissioner’s Office said it would order British Airways to pay a fine of nearly $230 million for a data breach in which hackers diverted about 500,000 customers visiting the airline’s website last summer to a fraudulent site where their personal data was taken.