
EasyJet admits a cyber-attack has affected approximately nine million customers - ilmiont
https://www.bbc.co.uk/news/technology-52722626
======
morsch
Any customer data, and especially PII, needs to be toxic. The toxicity needs
to increase super-linearly with the total amount of data, because the value of
leak does, too, while the difficulty of the breach probably does not.

It needs to be so expensive to store extensive data of millions of people that
companies (or for that matter, the government) cannot wait to get rid of it.

Currently, most online shops nudge me towards opening an account and letting
them store my data indefinitely (to facility marketing and reduce friction).
They should do the opposite, nudge me towards _not_ causing them the hassle of
storing my data beyond the immediate business transaction.

~~~
guptaneil
This is how I’m building my startup[1]. All data stays with the customer and
we actively don’t want it, because that’s how I wish all my products worked. I
suspect you will see more startups who treat data more respectfully in the
future, as the next wave of founders have experienced the consequences of
unrestricted data collection.

Having said that, I also think a large part of the problem is that treating
data like toxic waste is _hard_. There are more established patterns for data
collection than data destruction. How do you know when it’s safe to delete
some piece of data? What if the user comes back and complains about a
transaction after you’ve deleted the associated data?

1: [https://hiome.com](https://hiome.com)

~~~
laydn
Exactly. A lot of businesses MUST keep the data.

Imagine EasyJet putting the burden of keeping all your transaction logs on
you: "Passenger assumes responsibility of downloading this electronically
signed package and keep it for 2 years"

On a completely tangential note: How does your product work with pets?

~~~
guptaneil
Ha, that makes me wonder if we could have a future standardized protocol where
your browser handles the responsibility of storing a signed package of data,
and sending it back to the company when needed. Basically treat each package
of data like a product that might need to be RMA'd if there's an issue.
Obvious first question is what happens when you switch browsers/devices.

Regarding pets: it'll depend on the size of your pet. For most people, the
sensors properly ignore pets, but they can be confused by large dogs. You can
adjust the sensitivity of the sensor, so it's generally only an issue if you
have both large dogs and small children, and only want to count one of them.
We're working on a software update that should help that scenario too. Feel
free to send me more questions at neil@hiome.com :)

~~~
nickff
The government _wants_ many companies to keep certain data, to prevent fraud
by the customers (and sometimes the businesses). Decentralizing the data makes
such frauds (including tax fraud) more difficult to audit or detect, so it
seems unlikely that governments will permit it.

------
martimarkov
Having worked with EJ I just wanted to point out their system are insanely
fragile. They never notified us about breaking changes and the system itself
would go down multiple times. There was no CS when something goes wrong. And
this was their B2B api. And from talking to ppl who were working in EJ a lot
of things were being done on excel spreadsheets and emailed across.

Just wanted to give this info as a sort of reference. I remember when I first
found out how they worked that I was so shocked that it wasn’t more of public
knowledge

~~~
altacc
Interesting to hear, although a lot of companies still rely on emailing
documents to each other. A few years ago I interviewed with a consultancy that
provided a lot of development work for easyJet. They were operating under an
old model of both work organisation and technology and not very keen to
change. Interview went OK until I met the company CTO, who's personality left
a lot to be desired. We ended up having a heated discussion about the need to
innovate, or not in his case. Unsurprisingly, I never heard back from them.

~~~
martimarkov
I think I even know the person you are talking about and yeah... :D I do feel
that there is a culture in these big OLD (=old ibm mentality) where there is
no need to innovate and it always costs a lot to do things right. The only
reason they do is because some engineers are really pushing for it and making
it happen.

------
leejo
I just logged in to change my easyJet password:

> Your password must be a single word between 6 and 20 characters in length
> and must not include the special characters # & \+ or space.

Come on! This is ridiculous. If you're going to get hacked _at least_ have a
sane password policy.

~~~
Sosh101
Doesn't a max length suggest that they are storing passwords rather than
hashes?

~~~
borplk
It doesn't necessarily mean that.

A limit always exists. If you don't enforce it yourself you will find out when
someone decides to send you 64GB of data to hash as their password. So always
better enforce the limit yourself.

------
thinkingemote
The CEO says " it has become clear that owing to Covid-19 there is heightened
concern about personal data being used for online scams"

Am I missing something here? This doesn't make sense really.

~~~
Traster
It makes perfect sense, the company has completely screwed up in a way that's
totally unrelated to Coronavirus, and now they're trying to conflate the two
issues.

------
AJRF
6 months ago I went through every single website in my safari keychain and
changed their password, even if the password was already unique.

I also removed my credit card at some point after this from every single
website - and changed the card in real life. So even if there is a card number
somewhere in a db, it's not valid anymore.

I'm tech savvy and this still took around a day, and it was a pain in the ass
but hopefully mitigates some of the fallout from this hack - but to be
statistically safe while continuing to use online services, id have to wipe my
passwords and cards every few months given the frequency of hacks. I couldn't
expect my family to put this much effort into doing this frequently.

The system of holding a central database is completely bust. It's just too
juicy a target to keep the hackers at bay.

I really wish there was more effort today spent on changing this centralised
paradigm to a decentralised one - my personal data should live on my computer,
and my computer only. It should never ever leave it. It should always be
hashed.

If there was some way for web apps to be distributed and ran on my own
personal computer, with zero knowledge proofs verifying transaction on the
third party services side we would seriously reduce the attractiveness of
hackers going off these enormous databases. It needs to be as easy to secure
this data as possible, and it needs to never be sucked up to somewhere else,
and security patches need to be instantly applied over the top of my running
kernel - without any hiccup.

Impossibly difficult you will scoff. No one wants to run their own software.
They absolutely would if the tech industry put any effort into it. Also the
fines need increased massively to incentivise action in this direction. It
should be business-ruining if you lose your customers data like this.

------
dethos
Both the BBC article and the incident notice (shared in other comments)
contain very few details about the "highly sophisticated cyber-attack".

When such details are omitted I tend to suspect that "highly sophisticated" is
sugarcoating some kind of negligence or bad security practices.

~~~
cjrp
Ditto. What if "highly sophisticated" actually means "stumbled upon
easyjet.com/backups/latest_db_dump_w_passwords-SENSITIVE.sql"

------
malux85
If EasyJets systems are anything like their customer service, their in-flight
food, their baggage handling or their scheduling, this is not surprising.

~~~
nicolaslem
Is baggage handling specific to an airline? It looks like it's a service
provided by the airport.

~~~
adev_
> Is baggage handling specific to an airline? It looks like it's a service
> provided by the airport.

Generally you are right yes, it is airport service under one of the operating
company of the airport.

However easyJet and other low cost airline have generally a very vertically
integrated system where they try to operate almost everything themselves to
reduce cost.

Some airport have entire dedicated terminal for them, I would not surprise if
they manage also their luggage system in these airports.

------
eswat
Notice of cyber security incident:
[https://otp.investis.com/clients/uk/easyjet1/rns/regulatory-...](https://otp.investis.com/clients/uk/easyjet1/rns/regulatory-
story.aspx?cid=2&newsid=1391756)

------
Raed667
What I don't see in this article, is how can I (as an EasyJet customer) check
if my data was breached?

~~~
mikro2nd
haveibeenpwned.com ?

~~~
badRNG
While I strongly recommend HIBP, the EasyJet hack is not yet loaded into their
site.
[https://haveibeenpwned.com/PwnedWebsites](https://haveibeenpwned.com/PwnedWebsites)

~~~
johnspiral666
Wish HIBP accepted PayPal, guess they're being ironic.

------
noad
What a stupid headline. Just a blatant falsehood in the title of the article.
Why are journalists (still) so bad at this?

~~~
davidhyde
I recon the more sensationalist they make the title and article the better. It
doesn’t matter that it is technically inaccurate. It balances out the
typically false response from these companies which usually starts with “We
take the security of our customers data very seriously...”

~~~
rzzzt
Would it help to see a more "honest" letter of apology from a company? What
would that look like?

------
snowwolf
> EasyJet said it first became aware of the attack in January.

vs

> The GDPR introduces a duty on all organisations to report certain types of
> personal data breach to the relevant supervisory authority. You must do this
> within 72 hours of becoming aware of the breach, where feasible.

So either EasyJet was delayed in their reporting of the breach, or the ICO
didn't feel it was urgent to notify 9 million people that their data had been
compromised. But it is now 4 months later?

~~~
trickstra
Their official statement says

> we took immediate steps to respond to and manage the incident and engaged
> leading forensic experts to investigate the issue. We also notified the
> National Cyber Security Centre and the ICO. We have closed off this
> unauthorised access.

Maybe the relevant supervising authority didn't find it important to notify
those 9 million customers.

~~~
snowwolf
> Maybe the relevant supervising authority didn't find it important to notify
> those 9 million customers.

Which is a problem right? Now it emerges what has been breached. Including
credit card data. Surely the prudent thing would have been to warn all their
customers immediately to allow them to be on the lookout for malicious use of
their data (phishing, etc.) and not wait until they have concluded their
investigation.

------
gryzzly
So I just went to easyjet.com and logged in and they don’t prompt to update my
password. I wonder if failure to invalidate all accounts is their technical
ignorance or if my account was simply not hacked? I assume the ignorance of
course.

~~~
KingOfCoders
Since January.

------
Aeolun
> EasyJet first became aware of the attack in January. It told the BBC that it
> was only able to notify customers whose credit card details were stolen in
> early April.

Bull. Shit!

------
88840-8855
Could be catastrophic, as I have my ID details saved there for quick checkin.

~~~
mindracer
Me too, could be a lot of passports being cancelled and reissued shortly

~~~
Nextgrid
Why would reissuing passports help? The old passport is still valid and only
the government is actually able to tell whether it's cancelled (as they have
access to the passport DB), but for all other intents and purposes (identity
verification for banks, etc) the other passport still appears perfectly valid.

~~~
88840-8855
Stolen and lost documents are logged in an international data base. I have
lost my ID a few years ago. Every now and then I am being asked at borders
whether I have found it or it was still lost.

Banks check during the KYC process whether the document ID is on this
blacklist. If yes, authorities are contacted.

Hence, once compromised/lost, apply for a new one and tell them what happened
with your old one.

~~~
Nextgrid
In my experience IDs are checked very informally by most companies such as
utilities, etc. GDPR access requests usually require a proof of identity and I
very much doubt they are checked beyond the details on them matching the
account so it can be yet another vector for stealing more data based on the
passport. Banks are probably the only place where they _may_ be checked
against s lost/stolen DB but it won't prevent you getting your SIM & phone
number taken over because someone impersonated you to your mobile carrier.

------
jbverschoor
Time for datapoint tax, which will reimburse victims of these crimes

~~~
hammock
Someone could hack themselves constantly and get paid to do it

~~~
nkrisc
Yes, there are many criminal ways to make money. It would be nothing new. For
example, burning your house or failing business down to make a claim is
probably as old as insurance.

~~~
hammock
Insurance claims are not an entitlement provided by government.

~~~
nkrisc
So? It's still criminal. There are plenty of things that are provided by the
government that are criminally gamed by a few that still provide a net
benefit.

------
brnt
The number one reason I do not keep CC info, and why I don't fill out details
wherever I can.

I don't trust your security.

~~~
nogabebop23
good luck buying a plane ticket from easyjet without giving them your CC info

~~~
trickstra
Some banks can generate a virtual CC ad-hoc, so you could have different CC
details per each transaction. It's rare, I wish my bank did it, but it exists.

~~~
sp0rk
> I wish my bank did it

You can just use something like Privacy.com to accomplish the same thing.

~~~
trickstra
Sadly, that service is only available for 4.3% of the population.

------
afrcnc
Official statement:
[http://otp.investis.com/clients/uk/easyjet1/rns/regulatory-s...](http://otp.investis.com/clients/uk/easyjet1/rns/regulatory-
story.aspx?cid=2&newsid=1391756)

------
FearNotDaniel
> Stolen credit card data included the three digital security code - known as
> the CVV number - on the back of the card itself.

I always thought that PCI-DSS standards mandate that the CVV must never be
stored; I get that card number and expiry date may be stored for customer
convenience purposes, speeding checkout when returning for a second purchase,
but how on earth could they be compliant if they are stashing away CVVs
somewhere?

------
chockablock
Dupe of
[https://news.ycombinator.com/item?id=23233619](https://news.ycombinator.com/item?id=23233619)

------
mangatmodi
Interesting. Were they storing/operating unsalted plaintext credit card info?
I hope not.

~~~
InsomniacL
Only a couple thousand had their Credit Card details stolen whereas nine
million had information stolen. This sounds like they were able to access the
database to steal customer information and plant code on the website to scrape
any future transactions before the Credit Card information is encrypted in the
database.

------
gryzzly
Is it the case for anyone else that your login data is not invalidated? You’d
think someone in their org would realize at least to invalidate the auth data?

I managed to sign in without a problem :/

------
JadeNB
Also on the front page:
[https://news.ycombinator.com/item?id=23233619](https://news.ycombinator.com/item?id=23233619)
.

------
DangerousPie
> EasyJet said it first became aware of the attack in January.

I thought GDPR required companies to disclose breaches within a few days. What
happened there?!

------
beshrkayali
it still baffles me everytime why they wait for so long to admit it, and why
there's no accountability for such incompetence.

------
eddieoz
But they didn't reveal any details about it. They just told it was a highly
sophisticated cyberattack.

Guess?

~~~
huy-nguyen
Of course the attacks have to be “highly sophisticated” in order to beat the
“world-class” system that “highly paid” EasyJet security experts have put in
place to secure customer data, which EasyJet “cares deeply” about.

~~~
TLightful
Enter Admin Password: 12345

~~~
72deluxe
Pretty secure, but more likely 345yj3T! or rY4n41R-5t1nK$

------
drra
I once worked with a high level executive that left EasyJet and praised the
company on how lean and small the team was. Apparently too lean and too small.

------
abledon
Good, Cheap, or Easy. Pick Two.

------
pedrocr
EasyJet was the one hacked, the customers got their information stolen from
the hack but were not themselves hacked.

~~~
helldritch
This reminds me of "identity theft".

Someone didn't steal my identity, someone stole from the bank using my
identity. It should really be called "bank fraud".

~~~
dmurray
A great sketch about this
[https://www.youtube.com/watch?v=CS9ptA3Ya9E](https://www.youtube.com/watch?v=CS9ptA3Ya9E)

~~~
sshagent
Weird how i just assumed this would be Michell & Webb. I've not seen much of
there stuff, but it just felt like it was going to be skit of theres

~~~
gnufx
Perhaps we should let them know they're too predictable! (Ross Anderson
rightly ranted on the topic somewhere.)

------
GEBBL
Really tough on an already struggling airline. Wonder if their security team
were fully in place recently?

~~~
cranekam
Not really "already" since the attack became known in January, before Covid-19
decimated the industry. Were you suggesting that they were already struggling?
They made a profit of over £400M in 2019 so it doesn't sound like things were
too bad.

Of course, this news doesn't help them now, but it doesn't seem to me like
"poor old EasyJet, down on their luck and now this".

