Nine million easyJet passengers had their email addresses and travel details exposed in a “highly sophisticated” cyber attack, the airline has admitted.
The Luton-based carrier said this includes more than 2,000 customers who also had their credit card details stolen.
It insisted there is “no evidence that any personal information of any nature has been misused”.
Apart from the 2,208 people whose credit card details were accessed, the information obtained by the hackers was a customer’s name, email address, flight destination and date of travel.
Passport details are not believed to have been stolen.
The PA news agency understands that the attackers were able to access bookings made between the middle of October 2019 and early March 2020.
EasyJet first became aware of what was happening in late January, and it took “immediate steps” which included informing the Information Commissioner’s Office (ICO).
In early April it informed those whose credit card details were exposed.
It decided to contact the rest of the nine million passengers about what had happened on the advice of the ICO, following an increase in phishing attacks during the coronavirus pandemic.
The airline said it has been “the target of an attack from a highly sophisticated source”.
Chief executive Johan Lundgren insisted that the carrier has “robust security measures in place” but acknowledged that “this is an evolving threat as cyber attackers get ever more sophisticated”.
He apologised to customers and advised them to be “extra vigilant, particularly if they receive unsolicited communications”.
He added: “Every business must continue to stay agile to stay ahead of the threat.”
Boris Cipot, senior security engineer at Synopsys, warned that even though easyJet has reported there is no evidence that the information obtained has been misused, “no one can be certain” that will not happen in the future.
Adam French, of consumer group Which?, said anyone who thinks they could be affected should change their easyJet password, and other websites where they use the same one.
“Keep a careful eye on bank accounts and credit reports,” he added.
The ICO said last year it intends to fine British Airways a record £183 million after the personal data of more than half a million passengers was compromised in a hacking incident believed to have started in June 2018.
The announcement of easyJet’s hack comes during an already turbulent week for the airline due to a bitter battle between founder Sir Stelios Haji-Ioannou and the company’s management.
Shareholders will vote on Friday on whether to remove chief executive Johan Lundgren, chairman John Barton and two non-executives from their positions.