Updated: Jun 2, 2020
EasyJet has disclosed that the personal information of nine million customers was accessed in a “highly sophisticated” cyber-attack on the airline.
It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit card details "accessed".
EasyJet chief executive, Johan Lundgren, said: “We would like to apologise to those customers who have been affected by this incident.
"Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams."
Customers, whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26 May.
The airline said that the attack was highly sophisticated and had taken time to understand the scope of the attack and to identify who had been impacted.
"We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed."
Stolen credit card data included the three digital security code - known as the CVV number - on the back of the card itself.
EasyJet did not immediately give details of how the breach occurred, but said it had “closed off this unauthorised access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
In 2019, British Airways was fined £183m after hackers stole the personal information of half a million customers.
The breach is one of the largest to affect any company in the UK, and raises the possibility of easyJet paying a large fine at a time when the coronavirus pandemic has put it under severe financial pressure.
Under GDPR (General Data Protection Regulation), if EasyJet is found to have mishandled customer data, it could face fines of up to 4% of its annual worldwide turnover.