Did Chinese hackers steal data of 9 million easyJet passengers?

Hacking tools and techniques used to access the travel records of millions of customers of the United Kingdom’s easyJet point to a group of suspected Chinese hackers thought to be behind multiple attacks on airlines in recent months, two people familiar with the investigation told Reuters news agency.

The airline said earlier on Tuesday that hackers had accessed the email and travel details of around nine million customers, as well as the credit card details of more than 2,000 of them, in a “highly sophisticated” attack.

The two people with knowledge of the investigation, who spoke on condition of anonymity, said the attack appeared to be part of a series by suspected Chinese hackers aimed at the bulk theft of travel records and other data.

An easyJet spokeswoman did not respond to questions about who was responsible for the attack. The Chinese embassy in London did not immediately respond to a request for comment.

The UK’s Information Commissioner’s Office (ICO) said on Tuesday that it was investigating the cyberattack and urged anyone affected by data breaches to be particularly vigilant about phishing attacks and scam messages.

“We have a live investigation into the cyberattack involving easyJet,” it said.

“People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”

The ICO protects information rights and has the power to impose fines.

The news of the late January attack means the budget airline, which has grounded most of its flights due to the COVID-19 pandemic and is locked in a long-running battle with its founder and biggest shareholder, could face a hefty fine.

British Airways, which was hit in 2018 with the theft of hundreds of thousands of credit card details, is still appealing a fine from the ICO of 183.4 million pounds ($225m).

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams,” easyJet’s Chief Executive Officer Johan Lundgren said.

“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications,” he added.

Though easyJet said it did not look like any personal information had been misused, it has engaged leading forensic experts to investigate the issue and has also notified the National Cyber Security Centre.

“We would like to apologise to those customers who have been affected by this incident,” Lundgren said.

Hackers around the world have stepped up their efforts in recent months, taking advantage of the coronavirus pandemic to trick people into revealing their passwords and other sensitive data. Government officials have also warned of greater risks as people working from home create opportunities for hackers.

Shares of easyJet, down 64 percent in three months, were down three percent at 12:25 GMT.