In an apparent attack intent on stealing intellectual property, EasyJet announced that their customer’s personal data had been “accessed” as part of the attack.
As part of U.K. data breach notification laws, EasyJet has informed UK's Information Commissioner's Office (ICO) of a data breach they became aware of in January of this year. While no details have been provided around the nature of the attack, EasyJet has acknowledged they have assessed and understand the scope of the breach and were compelled by the ICO to notify all potentially impacted customers.
Even if the attack wasn’t intent on stealing the customer data, having nine million email addresses with an already-established phishing campaign (literally, anything using the context of EasyJet – a promotion, a problem with issuing a fake credit to their account, etc.) is something that can easily be sold on the Dark Web.
Anyone who has been a customer of EasyJet needs to use a heightened sense of vigilance when it comes to any emails coming from EasyJet anytime in the relatively not-so-near future (I’m talking years from now, as we’re still seeing data from the LinkedIn data breach of 2012 being used today).
Putting users through Security Awareness Training can help them understand how these scams work, how impersonating a brand is commonly used to lower the recipient victim’s defenses, and how to spot a potential scam and avoid falling for it.