Print Article



EasyJet has become the latest airline to fall victim to a sophisticated cyber attack. These are the key questions.

What has happened?

Britain’s biggest budget airline says the details of nine million customers have been “accessed” by hackers in a major cyberattack.

The data accessed comprised details that you input when booking a flight or holiday, including name, email address, origin and destination, departure date, booking reference number and transaction amount.

The Information Commissioner has been told by easyJet that the credit card details of 2,208 passengers were also taken.

The airline says: “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.

“There is no evidence that any personal information of any nature has been misused.”

When did it happen?

It is thought the attacker had access to the data of customers who booked flights from 17 October to 4 March; this was the date of booking, not the date of travel.

The airline became aware of the data breach at the end of January.

A spokesperson said: “This was a sophisticated attacker and it took time to understand what information may have been accessed and to make sure they could not come back into the systems.

“As soon as we discovered it, we started an investigation and have closed off this unauthorised access.”

The passengers whose card details were accessed were told in April, and easyJet has provided credit and identity monitoring to ensure their accounts are safe.

The airline says it does not appear that anyone has suffered financial harm so far.

Why have we found out about it only now?

The Independent understands that easyJet was not obliged to contact passengers whose basic booking details were compromised.

Did the hackers get passport details?


I have a booking with easyJet. What are the chances that my data may have been hacked, and when will I find out?

If you were one of the 90 million or so who booked with easyJet in the year to January 2020, the chance that you were hacked is about one in nine. If you are among the affected passengers, you can expect to be contacted by 26 May 2020.

The airline is telling passengers their travel details were accessed and advising them of steps to take to minimise the risk of “phishing”, in which emails are sent for the purposes of fraud.

What could happen to easyJet?

The GDPR rules that govern the storage of personal data say companies must deploy “appropriate technical and organisational measures to ensure a level of security appropriate to the risks”, with particular focus on “unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”.

The Information Commissioner can impose a fine of 4 per cent of easyJet’s turnover in 2019, which could amount to £255m. In practice it is likely to be far less. Cathay Pacific was recently fined £500,000 for a data breach involving 9.4 million passengers, though only 111,000 of them were British.

Didn’t British Airways get hit with a massive fine?

Yes, following a hack in the summer of 2018 in which cybercriminals stole payment card details from an estimated 500,000 passengers who bought flights online direct from the airline.

The personal data comprised the passenger’s name, travel plans, billing address, email address and payment card details, and the three-digit security code (“card verification value”, or CVV) from the back of the card.

British Airways was handed a fine of £183m, but the potential harm to passengers in that case was much greater than the easyJet hack.

Any tips for keeping my data safe?

You could take a wide range of precautions, including using a different email address for each airline that you book with. You might prefer to pay with a “burner” prepaid card, again used solely for flights with one airline.

Booking through an intermediary – typically an online travel agent – may add a layer of security, though it increases the number of organisations with access to your data.

The Money Saving Expert, Martin Lewis, adds: “Everyone should change your easyJet password and change the password on any site where you used the same password as you did with easyJet.”

Will this have any effect on easyJet returning cash to passengers whose flights have been cancelled?

No – though Gerard McCarthy tweeted: “Any chance the hackers can start processing our refunds then?”


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email