EasyJet challenges claims it leaked customer data

Lawyers involved after Wandera cites airline as one of 16 companies hit by CardCrypt

Credit cards

12/12/2015: EasyJet's lawyers are challenging claims that the airline has leaked customers' credit card details.

Security firm Wandera said it unearthed a security vulnerability dubbed CreditCrypt this week, saying 16 companies including EasyJet, AirAsia, Aer Lingus, Air Canada and San Diego Zoo fell foul of it, leading to them revealing customer credit card details.

Advertisement - Article continues below

Mark Ramsden, corporate affairs manager at easyJet, told IT Pro: "The first thing to say is that we have involved our lawyers who have written to Wandera to challenge their claims.

"Our customers are always our priority and as you would expect easyJet takes the security of their data extremely seriously. We use the latest technology alongside regular audits to test our systems to ensure our customers' data remains protected.  If we are ever made aware of an issue we investigate it thoroughly and act on it immediately."

He added that passenger data is always transmitted using HTTPS encryption, after Wandera speculated that a failure to use this led to the data allegedly being exposed.

Meanwhile, no easyJet customers have reported payment security issues resulting from their use of the easyJet app, Ramsden said, before adding: "Our security experts have contacted Wandera and they are yet to provide us with sufficient information to validate their claims.

"We still don't know very much about what they may or may not have found for instance we don't even know when they claim this happened and therefore there is no support for their claim that this is ongoing ("is being transmitted unencrypted")."

Advertisement - Article continues below
Advertisement - Article continues below

10/12/2015: Airlines including EasyJet 'exposed credit card details'

Sixteen companies including EasyJet, AirAsia, Aer Lingus, Air Canada and San Diego Zoo have revealed customer credit card details after falling foul of a vulnerability one security firm has dubbed CreditCrypt.

This is according to security firm Wandera, which uncovered the security hole and said the unencrypted card details of customers were sent via smartphone apps and mobile websites, with the possibility of the data being intercepted as they were transmitted to the company servers for payment.

The problems occurred both when customers purchased tickets to attractions or flights, or if they paid for an upgrade to a flight, meaning up to 500,000 people may have been affected by the flaw.

The data sent via an unencrypted connection includes sensitive information that could be used to steal money and identities, Wandera said, including complete credit card details, CVV security codes, customer names, full addresses, transaction amounts and contact details, although the information varies according to which provider the customer was using.

Advertisement - Article continues below

For example, passport details may also have been exposed for airline customers, while only card information would have been put at risk for those ordering tickets for San Diego Zoo or other attractions.

Wandera said the data may have been exposed because the companies were not using the https secure protocol to send the confidential information to the retailer or airline's servers.

"We believe there are two likely reasons why HTTPS has not been used, everywhere at all times," said Eldar Tuvey, CEO of Wandera.

"It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it's astounding to me that these companies have failed to exercise sufficient care in the collection of their customers' personal data."

However, it's not yet clear whether the data has been used maliciously or was intercepted at all. All companies exposing themselves to this flaw have been contacted by Wandera, but have not yet commented on the issue.

Advertisement - Article continues below

"The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes," finished Tuvey. "With lots of people booking journeys to go home for the Christmas holidays, it is worrying how much sensitive data could be put at risk."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020
Mobile Phones

The Man has ruined my Huawei P40

3 Jul 2020