The budget British airline, EasyJet on Tuesday confirmed that a “highly sophisticated cyber-attack” has affected nine million of its customers.

The company revealed that the attack exposed email addresses and travel details of approximately nine million EasyJet customers, including 2,208 customers whose credit card details were also stolen.

The airline said it has engaged leading forensic experts to investigate the incident and has also informed the National Cyber Security Centre and the ICO, the UK’s data protection watchdog. 

According to the BBC, EasyJet first learned of the attack in January but was only able to notify the affected 2,208 credit card customers in early April. The airline has already taken action to contact all of these customers and they have been offered appropriate support. 

“This was a highly sophisticated attack. It took time to understand the scope of the attack and to identify who had been impacted,” EasyJet told the BBC. 

“We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”

It said that no passport details had been exposed. Also, there is currently no evidence that the personal information accessed has been misused; however, the airline said it has closed off the unauthorized access. 

EasyJet is in the process of contacting the relevant customers directly and affected customers will be notified no later than 26th of May to advise them of protective steps to minimise any risk of potential phishing. 

“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays,” the company said in a statement. 

EasyJet did not provide any information about the nature of the attack or the motives nor when did the hack take place. 

“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber-attackers get ever more sophisticated,” Johan Lundgren, EasyJet Chief Executive Officer, said in a statement. 

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

Lundgren also apologized for the incident and said, “We will continue to invest in protecting our customers, our systems, and our data. We would like to apologize to those customers who have been affected by this incident.” 

In response to the breach, the ICO said that it was investigating the incident.

“We have a live investigation into the cyber attack involving easyJet. People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.

“Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks, and scam messages. We have published advice on our website about how to spot potential phishing emails.”

EasyJet could face the risk of a large fine under General Data Protection Regulation (GDPR) rules if found to not have protected its customers properly.