EasyJet Admits Data of Nine Million Hacked

An anonymous reader quotes a report from the BBC: EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers. It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit card details "accessed". The firm has informed the UK's Information Commissioner's Office while it investigates the breach. EasyJet first became aware of the attack in January. It told the BBC that it was only able to notify customers whose credit card details were stolen in early April. Stolen credit card data included the three digital security code -- known as the CVV number -- on the back of the card itself. EasyJet added that it had gone public now in order to warn the nine million customers whose email addresses had been stolen to be wary of phishing attacks. It said that it would notify everyone affected by 26 May.

CVV?

[Ecuador]

I thought retailers aren't supposed to save the security code?

Re:

[ceoyoyo]

I'm surprised the credit card companies don't sue anyone who does into the ground. They're liable for losses, and it's pretty obvious if you saved the CVV when you weren't supposed to.

Re:

[The_Revelation]

If they're doing CC processing, they'd better pray that they have the valid certifications on their app to begin with.

Re:

[Ogive17]

Honest question - if you save your payment details, is it going to also save CVV?

Re:CVV?

[micheas]

Typically as a merchant, I haven't saved credit card numbers when doing a Card On File transaction but rather generated a unique number with the payment processor for a card that was only good for transactions for that customer from our store, so a lifted card could only be used for purchasing things on our store if compromised and then saved the last four digits of the real card to show the customer and the single purpose card number for recurring transactions. I'm sure that there are people who just save everything though. An outsourced programmer making $1,200 a month doesn't really care if the company is compromised.

Re:

[AmiMoJo]

EasyJet likes to keep your card on file because it reduces friction when charging for extras. Everything they aren't legally obliged to give you costs extra and the whole experience is designed to push you towards paying more than the headline ticket price.

Re:

[overnight_failure]

Everything they aren't legally obliged to give you costs extra and the whole experience is designed to push you towards paying more than the headline ticket price.

That's because that's where they make their profit. They make very little on the price of the ticket itself.

Re:CVV?

[Bite The Pillow]

9 million customer records and only 2200 credit cards. CVV was likely in flight, not saved.

again and again?

[k6mfw]

woopie, another database hack. I think these occur more often than cars getting flat tires. So I ask again (and again, and again, and again, ...) is there anyway to protect a database with exception to making it WOM (write only memory)?

Re:

[Mr. Dollar Ton]

Yes, check and untaint all your inputs before you use them and use parametrized queries, you "fullstack" hero.

Re: again and again?

[slazzy]

Protecting from SQL injection is only one of many required security protections needed to keep things safe.

Re:

[overnight_failure]

It's also one of the things you normally don't have to worry about when you're fronted by Akamai.

Re:

[Mr. Dollar Ton]

Hello, full-stack hero. Apt username, congrats.

Re:

[overnight_failure]

A witless insult on slashdot? I'm shocked!

Apparently the concept that companies pay other companies for things so that they don't have to do them has come as a shock to you. Don't worry, you'll get used to it.

Re:

[Mr. Dollar Ton]

And yet, QL injection is the single most important vector of "database hacks", bar none, and it is still happening decades after parametric queries became available through sheer code monkey ignorance.

Re: again and again?

[slazzy]

Yes you can make them secure.

Re:

[overnight_failure]

Could've been lots of things. Unlikely to have been a db hack a few years back but I heard they moved a load of their website stuff to a new system. I'd have guessed their B2B system a much more likely vector.

Homer Software

[Aighearach]

Just when you thought it was safe to fly!

highly sophisticated cyber-attack

[Going_Digital]

AKA somebody left the door open and some script kiddie came and helped themselves.

"Highly sophisticated attack" = "we dumb"

[gweihir]

That phrase is code for "we made several really dumb beginner's mistakes but do not want to admit that". It is high time that when something like this happens, the CEO goes to prison. I would also think an automatic compensation of $1000 for each person affected (unless they can demonstrate higher damage) would be a good idea. Maybe these two things could stop the atrociously bad and utterly pathetic amateur level IT operations that are going on in far too many companies.

EasyJet target of highly sophisticated attack?

[notdecnet]

Leme guess, someone opened a malicous link in an email under Microsoft Windows.

Clarke Reference?

[careysub]

The Nine Million Names of "Oh my God"!