The company said on today that travel details and personal details such as email addresses were accessed.
EasyJet said it had “closed off this unauthorised access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator.
Those customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by the 26th May Easyjet stated.
Their statement said: “There is no evidence that any personal information of any nature has been misused, however… we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
It added: “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.
The ICO recommended easyJet contact everyone affected because of an increased risk of phishing fraud especially after British Airways were fined £183m million last July after hackers stole the personal information of half a million customers.
The ICO’s power to fine companies has increased under the EU’s General Data Protection Regulation.
EasyJet said “there is no evidence that any personal information of any nature has been misused”.