UK budget airline easyJet has disclosed a massive data breach affecting nine million of its customers and involving over 2,000 credit-card details.
EasyJet today said it has been the target of a "highly sophisticated" attacker, which gained access to nine million customers' email addresses and travel details.
The company said 2,208 credit-card details were accessed by hackers, noting it had "closed off this unauthorized access".
SEE: IT pro's guide to GDPR compliance (free PDF)
Affected easyJet customers will be contacted by the carrier no later than May 26, easyJet said in a statement. The company has not disclosed when the breach occurred or how it happened, but it has notified the UK's Information Commissioner's Office and National Cyber Security Centre (NCSC) as well as hired a digital forensics expert to investigate the breach.
In terms of affected customers, easyJet's data breach dwarfs a 2018 data breach at British Airways, which was fined a record £183.4m ($225m) last year by the Information Commissioner's Office under Europe's General Data Protection Regulation (GDPR).
The ICO blamed the British Airways data breach, which affected 500,000 customers, on its "poor security arrangements" for protecting login, payment card, travel details, and name and address information on its website.
The ICO advised easyJet to disclose the breach because of an increased risk that affected customers could become targeted by phishing attacks. The airline warned customers to be on the alert for unsolicited communications, though it said it had no evidence that any personal information had been misused.
"We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers' personal information. However, this is an evolving threat as cyberattackers get ever more sophisticated," said easyJet CEO Johan Lundgren.
"Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.
SEE: How European and British airlines are responding to the COVID-19 outbreak
"Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data. We would like to apologize to those customers who have been affected by this incident."
ZDNet has sought additional details from easyJet and will update the story if it receives a response.