What happened?
EasyJet reported that it suffered a major security breach following what it called “an attack from a highly sophisticated source.” As a result, the data of 9 million passengers was leaked. According to the forensic analysis, the leak includes names, email addresses, and travel details (such as dates of travel, and airports of arrival and departure). It did not include passport details.
According, to the same analysis, the credit card details of 2208 customers were accessed in the leak. These customers have been contacted back in April individually by EasyJet, so if they have not reached out to you by now, your credit card details were likely not leaked in the breach.
The breach was discovered back in January, and although quickly reported to authorities, it was disclosed to the general public on May 19.
What took so long?
According to EasyJet, the reason for this delay was as follows:
“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”
If you would like to get wind of breaches sooner, we put together a guide on How to check if you’re a victim with stolen or misused data?
Am I at risk?
If you booked your travel with EasyJet, your data might be at risk. And although the company pledged to reach out to affected customers individually by May 26, it is best not to wait but take immediate action.
Step 1: Check whether your personal information was leaked in a security breach by visiting https://haveibeenpwned.com/.
Have I Been Pwned? is the go-to website for people to check if their personal data has been compromised by a data breach. It was built by Troy Hunt on the heels of the Adobe breach where he saw the same accounts and passwords being hacked repeatedly. To use this, simply go to https://haveibeenpwned.com/, enter your email-address, and click on “pwned?” If you see the message “Oh no — pwned!” chances are that your email details have been included in a recent breach. This is limited to emails and does not include other important hackable details such as social security details or phone numbers.
If your email was leaked, it’s time to create new passwords
Step 2: Change your password for the leaked account, and any other accounts that may have shared the same password.
In these types of situations, you typically have two options:
- Create your own passwords. If this is your desire, we prepared this guide on how to create strong ones.
- Get a Password Manager to do it for you. We have more information about what they are and how they work below.
Download Avira Password Manager
Helps you create strong unique passwords for all your accounts. The premium version even alerts you in real-time to security breaches and points out weak and duplicate passwords across your accounts.
Step 3: Continuously monitor your accounts
Check credit card bills, bank statements, insurance claims, and any other financial accounts on a regular basis. Always check to make sure log in records match your sign-in dates and look for any other suspicious activity.
You should also monitor your Social Security earnings record. Whenever possible, activate notifications for suspicious activity on all your accounts (financial or not).
You can read our guide here for more tips on How to Keep Your Personal Information Safe.
What are the risks?
Given the increasing risks of phishing emails and identity theft linked to Covid-19, a leaked email address will likely result in additional attempts to con you into divulging even more information by posing as EasyJet, your bank, or the authorities.
You can learn more about how to spot phishing attacks by watching this short video taken from a recent Avira webinar:
Understanding and using a Password Manager
In a nutshell, these are the functionalities of most Password Managers:
- They save passwords as the user logs into websites
- They automatically log the user onto websites for which they have previously saved their password
- They offers to generate and save new strong passwords when registering to websites
- All passwords are encrypted behind one master password which protects an unlimited number of accounts. Each single saved password is encrypted with the AES 256-bit standard and known only to the user
- They allow users to import existing passwords in CSV format from other password managers, and from other applications (e.g. browser)
- They automatically back up passwords and synchronize them across multiple devices
- Users can access and manage all passwords from an online dashboard
If you’re still unsure a Password Manager is for you, we recommend you watch this short, fun video. Enjoy – and stay safe.