Budget airline easyJet has been the target of a "highly sophisticated" cyber attack, with more than 2,000 passenger credit cards placed at risk.
The airline said an investigation found that email addresses and the travel details of approximately 9million customers have been accessed by a third party fraudulent company.
The airline has closed off the unauthorised access, however it said personal details, including card details, may have been compromised.
In a statement, easyJet said that around 2,208 people have had their credit card details accessed.
The company, which was unable to state when the incident occurred, said it has "taken action" to contact those whose card details were accessed.
Many have already been informed while some will be contacted in the "next few days", at the latest, by May 26.
"There is no evidence that any personal information of any nature has been misused, however .. we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing," a statement said.
The Information Commissioner’s Office (ICO), the data regulator, has recommended easyJet contact everyone affected because of an increased risk of phishing fraud.
The airline's chief executive, Johan Lundgren, said: "We would like to apologise to those customers who have been affected by this incident.
"Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications."
Hackers have stepped up their efforts to target major companies in the past few years, with British Airways famously hit in 2018, affecting half a million passengers.
The breach included names, travel plans, billing addresses, email addresses, payment card details, and the three-digit security code (“card verification value,” or CVV) on the back of booking cards.
The airline was subsequently fined a record £183million on the back of the breach, which affected people who booked online and via its app.
Speaking on easyJet, Ryan Gracey, solicitor and technology law specialist at law firm Gordons, said: "This is a significant cyber attack which once again highlights the importance of stringent IT security measures for businesses.
"The General Data Protection Regulation makes it clear that organisations must be accountable for the personal data they hold. This includes ensuring proper technical and organisational measures are in place to protect personal data against unauthorised or unlawful access and disclosure.
"Aside from reputational damage, EU regulators have the power to issue significant fines for those firms who have their data breached."
If you've been a victim of fraud, you can report it to Action Fraud online, here.
Anyone concerned that their details may have been compromised should contact their bank, building society or credit card issuer - this should be for the card used to pay for the easyJet booking.
If you use similar passwords across multiple accounts, it's also important that you revisit these and change them as necessary.
.jpg?w=600)
