Anatomy of a Breach

Anatomy of a Breach: EasyJet — 9 Million Customers and 2,208 Credit Cards Exposed

> series: anatomy_of_a_breach —— part: 137 —— target: easyjet —— customers: 9,000,000 —— credit_cards: 2,208 —— context: covid-19_pandemic<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2020 12 min read
data-breach easyjet uk-breach 9-million airline credit-cards gdpr series
Breach #137

9 million customers. A UK airline. During the worst crisis in aviation history.

In May 2020, EasyJet disclosed that a cyber attack had compromised the personal data of approximately 9 million customers and the credit card details (card numbers, CVV codes, and expiry dates) of 2,208 customers. The attack had been discovered in January 2020 — four months before the public disclosure. EasyJet described the attack as 'highly sophisticated' and reported it to the ICO and the National Cyber Security Centre.

The timing was catastrophic: the breach disclosure landed during the COVID-19 pandemic when EasyJet — along with the entire aviation industry — was facing existential financial pressure. A class action lawsuit was filed seeking up to £18 billion in compensation (£2,000 per affected customer). For UK airlines and travel companies, the EasyJet breach demonstrated that cybersecurity failures create liabilities that compound during business crises — exactly when organisations can least afford them. The ICO subsequently fined EasyJet, and the case reinforced the GDPR enforcement pattern established by British Airways and Marriott.

UK Aviation Under Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

British Airways. EasyJet. The UK's airlines are cyber targets.

Second Major UK Airline Breach
EasyJet followed <a href="/blog/anatomy-of-a-breach-british-airways-magecart">British Airways</a> (2018) as the second major UK airline to suffer a significant data breach — demonstrating that the aviation sector faces persistent, targeted attacks. For UK airlines and travel operators, <a href="/penetration-testing/web-application">web application testing</a> and <a href="/penetration-testing/pci-dss">PCI DSS assessment</a> are essential defences.
2,208 Complete Card Details
The theft of full card details including CVV codes — the same pattern as the <a href="/blog/anatomy-of-a-breach-british-airways-magecart">BA Magecart attack</a> — enables immediate fraudulent transactions. CVV codes should never be stored and are typically captured through client-side skimming (Magecart-style) or interception during the payment process. Our <a href="/penetration-testing/pci-dss">PCI DSS testing</a> assesses payment page security.
Four-Month Disclosure Delay
The attack was discovered in January 2020 but not disclosed until May — a four-month gap. Under GDPR, breaches must be reported to the ICO within 72 hours of becoming aware. The delay raised questions about when EasyJet became fully 'aware' of the scope. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables rapid detection supporting 72-hour notification.
Class Action During Financial Crisis
The class action lawsuit — filed during a pandemic that had grounded EasyJet's entire fleet — created compounding liability at the worst possible time. Cybersecurity investment before a breach is always cheaper than litigation after one. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates the 'appropriate measures' that reduce both breach risk and regulatory exposure.
Lessons

Breaches hit hardest when you can least afford them.

The EasyJet breach proved that cyber incidents do not wait for convenient timing — they compound existing crises. For UK organisations across all sectors, the message is clear: invest in security before the crisis hits. Cyber Essentials certification, regular penetration testing, continuous SOC monitoring, and incident response capability are investments that prevent the compounding of crises — not costs that can be deferred.

UK Aviation Security

BA in 2018. EasyJet in 2020. UK airlines are targets. Is your travel business defended?

<a href="/penetration-testing/web-application">Web application testing</a> and <a href="/penetration-testing/pci-dss">PCI DSS assessment</a> protect payment data. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates compliance. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors 24/7.

Commission a Security Assessment Next: Blackbaud
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 December 2018

Anatomy of a Breach: 2018 Year in Review — The Year GDPR Arrived and the Fines Got Real

Breach #120 and the 2018 finale. The year GDPR came into force and the ICO immediately signalled its intent — proposing £183 million against British Airways and £99 million against Marriott. Cambridge Analytica proved data could be weaponised for political manipulation. Spectre and Meltdown proved even the silicon was vulnerable. Olympic Destroyer showed nation-states will sabotage sporting events with false flags. Atlanta proved cities are ransomware targets. Magecart swept through e-commerce. And 500 million Marriott guests discovered their data had been exposed for four years. The year enforcement matched the threat.

data-breach year-in-review
14 min read
Anatomy of a Breach 30 June 2018

Anatomy of a Breach: Ticketmaster UK and Dixons Carphone — The UK's Summer of Breaches Under GDPR

Breach #114. June 2018 brought two major UK breaches just weeks after GDPR enforcement began. Ticketmaster UK disclosed that a Magecart skimmer embedded in a third-party customer support chatbot had compromised the payment cards of up to 40,000 UK customers. Days later, Dixons Carphone revealed a breach affecting approximately 10 million customer records and 5.9 million payment cards. Both breaches tested the new GDPR framework and demonstrated that UK organisations were not ready for the post-GDPR enforcement landscape.

ticketmaster dixons-carphone
13 min read
All Posts Get in Touch