EasyJet admits a cyber-attack has affected approximately nine million customers
bbc.co.ukAny customer data, and especially PII, needs to be toxic. The toxicity needs to increase super-linearly with the total amount of data, because the value of leak does, too, while the difficulty of the breach probably does not.
It needs to be so expensive to store extensive data of millions of people that companies (or for that matter, the government) cannot wait to get rid of it.
Currently, most online shops nudge me towards opening an account and letting them store my data indefinitely (to facility marketing and reduce friction). They should do the opposite, nudge me towards not causing them the hassle of storing my data beyond the immediate business transaction.
I built an app back in 2012 for emotional journaling and I tried to collect as little data as possible from the user because I didn’t want to have the burden and legal responsibility to guard all that deep data. Many people in SV told me I was crazy not to collect data. It does make it harder to develop the app with so much uncertainty about how people are using it, yet I felt much more free knowing I wasn’t one hack away from exposing people’s lives.
Why not ask them?
I'm not sure to which part you're referring...ask them what?
I believe he's suggesting that since you don't collect any more data than necessary, you ask the users how they use your app instead.
ah, yes, I do ask them when I get the chance. Sometimes it would be a lot easier to just monitor them without having to ask. I mean, I'm sure it's a sliding scale of privacy/automation, but I still like doing it more manually, or rather, with more intentional consent.
Collecting data is just a symptom of a bigger disease called "marketing". You eradicate that disease and suddenly there's no reason to collect more data than necessary, along with a near-infinite list of other quality of life improvements like the lack of dark patterns, email and push spam ("newsletters" and "offers" as they call them), etc.
In that case the data was clearly needed for the essential service EasyJet provides, it wasn't marketing data. According to the article, the data stolen was email addresses and travel details, and for some customers credit card details (for customers who asked EasyJet to save them)
I think the point is that the company keeps the data around forever when they only need for a few months after the trip, at most.
When I was applying for UK citizenship, they needed 5 years of all travel data (entry and exit into the UK). EasyJet's databases (and other flight providers') provided useful. Of course, you could wonder why the government even needs this data, or why they don't keep it themselves (I don't for a moment believe that UK government / spy agencies doesn't have all data about all flights in and out of the UK).
This is how I’m building my startup[1]. All data stays with the customer and we actively don’t want it, because that’s how I wish all my products worked. I suspect you will see more startups who treat data more respectfully in the future, as the next wave of founders have experienced the consequences of unrestricted data collection.
Having said that, I also think a large part of the problem is that treating data like toxic waste is hard. There are more established patterns for data collection than data destruction. How do you know when it’s safe to delete some piece of data? What if the user comes back and complains about a transaction after you’ve deleted the associated data?
Exactly. A lot of businesses MUST keep the data.
Imagine EasyJet putting the burden of keeping all your transaction logs on you: "Passenger assumes responsibility of downloading this electronically signed package and keep it for 2 years"
On a completely tangential note: How does your product work with pets?
Ha, that makes me wonder if we could have a future standardized protocol where your browser handles the responsibility of storing a signed package of data, and sending it back to the company when needed. Basically treat each package of data like a product that might need to be RMA'd if there's an issue. Obvious first question is what happens when you switch browsers/devices.
Regarding pets: it'll depend on the size of your pet. For most people, the sensors properly ignore pets, but they can be confused by large dogs. You can adjust the sensitivity of the sensor, so it's generally only an issue if you have both large dogs and small children, and only want to count one of them. We're working on a software update that should help that scenario too. Feel free to send me more questions at neil@hiome.com :)
The government wants many companies to keep certain data, to prevent fraud by the customers (and sometimes the businesses). Decentralizing the data makes such frauds (including tax fraud) more difficult to audit or detect, so it seems unlikely that governments will permit it.
But wait, isn't this exactly how MOST businesses operate today? I certainly can't go to my local dry cleaners and request the transaction data for something that happened 2 years ago, much less any sort of metadata about that transaction (3 shirts, one blue two white, no starch). The normal principle most businesses adhere to is a strictly limited time period of "memory" of any particular transaction or interaction, after which it is solely the customer's responsibility to keep records.
> There are more established patterns for data collection than data destruction. How do you know when it’s safe to delete some piece of data?
I agree, but this is exactly analogous to the SDLC. Most coders only learn to hack together barely-working code. Those who spend the effort to learn the craft figure out how to {version control, unit test, static analysis, benchmark, integration test, upgrade library dependencies} and automate these processes.
Similarly, there needs to be a data lifecycle with defined retention lifetimes for different data, defined processes for actually disposing of data, and special handling cases for backup blobs (which may be retained longer than the retention lifetime of a subset of the data in the backups). This is effectively intended by the GDPR (not sure if it states explicitly) and similar laws.
Startups now have to think about things like GDPR and Cali's laws, so they have to think about this data more -anyway-.
> I also think a large part of the problem is that treating data like toxic waste is hard.
Yep. It's a -lot- of extra work to do. It's a balancing act between:
- Keeping data long enough to satisfy govt regulations, rulings, or existing contracts with your vendors (i.e. merchant account with a bank for CC processing.) You can't just order something from amazon, Send a GDPR request and expect all your data to be gone; They can't delete it until -after- those retention periods have expired.
- Following Regulations like GDPR/Cali Privacy law.
- Still doing meaningful things with the data.
Generally speaking, I'd say this is all stuff that makes a Data architect very handy in the modern climate.
I think the saying is that : 'data is not the new oil, it's the new uranium'
Exactly, just let my browser fill in the data. And we pray that Mozilla can keep it safe :)
I don't see how that helps more than marginally.
Doesn't PCI require a payment processor to keep some amount of the transaction data for a specific period of time?
Personally, I love tokenized transactions / specialized payment processors (eg Apple Pay, Stripe, PayPal) because they actively work to keep most of the data away from etailers (who are generally not specialists in securing their checkout flow). The problem is the payment processor transaction fees can be steep (2.x% for most commodity CC processors all the way up to 15% for Apple Pay), so etailers lose on the margins and avoid the more secure options.
I think the GDPR has gone some way towards that.
Certainly in my own business, I want as little PII as possible.
Having worked with EJ I just wanted to point out their system are insanely fragile. They never notified us about breaking changes and the system itself would go down multiple times. There was no CS when something goes wrong. And this was their B2B api. And from talking to ppl who were working in EJ a lot of things were being done on excel spreadsheets and emailed across.
Just wanted to give this info as a sort of reference. I remember when I first found out how they worked that I was so shocked that it wasn’t more of public knowledge
Interesting to hear, although a lot of companies still rely on emailing documents to each other. A few years ago I interviewed with a consultancy that provided a lot of development work for easyJet. They were operating under an old model of both work organisation and technology and not very keen to change. Interview went OK until I met the company CTO, who's personality left a lot to be desired. We ended up having a heated discussion about the need to innovate, or not in his case. Unsurprisingly, I never heard back from them.
I think I even know the person you are talking about and yeah... :D I do feel that there is a culture in these big OLD (=old ibm mentality) where there is no need to innovate and it always costs a lot to do things right. The only reason they do is because some engineers are really pushing for it and making it happen.
But they "take issues of security extremely seriously"...
Typical. When are we going to get tired of the same PR, damage-controlling, bullshit that we all know are blatant lies?
EDIT: we need a GDPR hero.
I just logged in to change my easyJet password:
> Your password must be a single word between 6 and 20 characters in length and must not include the special characters # & + or space.
Come on! This is ridiculous. If you're going to get hacked at least have a sane password policy.
Doesn't a max length suggest that they are storing passwords rather than hashes?
It doesn't necessarily mean that.
A limit always exists. If you don't enforce it yourself you will find out when someone decides to send you 64GB of data to hash as their password. So always better enforce the limit yourself.
Sure could be, but to play devils advocate maybe not, some hashing libraries have limits (silent truncation or otherwise) and/or it could be reasonable not to allow users to make the backend hash strings of unbounded length.
These specific limitations indicate that it's more likely to be something bad however, it's funny because I remember adding EasyJet to https://github.com/dumb-password-rules/dumb-password-rules/p... last year.
Not guaranteed, but it suggests that their company processes aren't Password Manager friendly.
Still better than my bank (one of Spain's biggest) that requires your password to be 8 (not less, not more) digits.
HSBC in France have the same, it's a huge motivator for me to switch away.
May I know why? It's a problem if there is no 2FA but I doubt HSBC won't have 2FA and this password requirements.
The bank I'm using has 2FA for all actions performed in the website, so that's my guess as to why they don't prioritize fixing the lame password requirement.
Exactly. 2FA is much more important than complicated password (not that I'm advocating to have a guessable one here), altogether providing acceptable level of security.
Use "password" - eight letters and it's English and so should be safe on a Spanish site.
You missed that we're only allowed to use digits/numbers. No letters!
72779673
How much you wanna bet they weren't salting passwords in the backend?
Every time I see passwords with a list of excluded characters, I assume their system breaks when processing such passwords in plaintext. Hashes wouldn't cause any problems.
It could also be because they had imperfect character escaping in the codebase at some previous point in time and didn't bother to migrate user credentials to work exclusively with the newer correctly-escaped code.
Fun fact: PHP used to escape some characters in some POSTed data by default before a specific version, then changed the default config:
> Prior to PHP 5.4.0, the PHP directive magic_quotes_gpc was on by default and it essentially ran addslashes() on all GET, POST and COOKIE data.[1]
I know for a fact some of users of a previous site I worked on had stored their password (hash) with one escaping mechanism, only to start failing authentication after that function was no longer used upon data input (all escaping should be done upon output for more perfect control of different security contexts eg. escaped HTML versus escaped SQL versus escaped JSON).
I remember reading that a somewhat-legitimate reason for blocking special characters is that it's a signal for keyloggers that the typed string might be a password. After briefly searching Google, I couldn't find anything to support that theory though.
It's an interesting point, but I think when the user has a keylogger, they've already lost. I'd rather have websites disallow passwords shorter than ~10 chars which are trivially brute-force'able in case of a leak.
If special chars can be a signal for keyloggers, so are strings > 10 chars, and strings which are not all-lowercase/all-uppercase/first-capital. Basically to mislead the keylogger in this way, the user would have to use a short all-lowercase dictionary password :)
I jokingly like the idea of using utf-8 emojis in a password. They're available on nearly all phones and web browsers, common enough to not be susceptible to those sort of keyloggers and don't show up in any of the largest dictionaries/rainbow tables.
Possible, maybe not even hashed?
Given the disallowed chars that's suggestive that the form used to be implemented as a GET, so it's possible passwords were in log files for a long time.
Is there a technical reason to use a GET for authentication? I've always seen it as a POST. If you use GET, won't your parameters be plainly visible in well, everything, unless they put them in the body and that's a whole nother can of worms.
No, https encrypts the URL as well (although the domain itself can be leaked via DNS). But in most respects query params are no different to the body security wise. The main difference is that if you bookmark it, you may end up storing your sensitive data in your bookmarks.
Query params often end in stuff like web server (WAF, load-balancer, reverse proxy, ...) access logs and they might get accidentally exposed.
They shouldn't get exposed of course, but they do. [EDIT: redacted an example of some random dude's access log]
If you search for "password" in there you will likely see a new Mirai bot variant [1] bouncing credentials off the server looking for weblogin.cgi on vulnerable Zyxel devices.
I imagine PA highlit this detail in their post ("weblogin.cgi accepts both HTTP GET and POST") exactly to ensure sure defenders don't restrict themselves to blocking or investigating only the more normal POST mechanism.
[1] https://unit42.paloaltonetworks.com/new-mirai-variant-mukash...
Yeah that's a fair point. So the security is worse in that sense, so many ways to leak it. It'd be insanity to put sensitive info in the query params either way. It's just not the appropriate place for them.
I had no clue the URL was encrypted too. So how does DNS work? Or does it send through plaintext the name of the server, and the rest of the URL has to be encrypted by the endpoint.
The domain name is not encrypted, but the path and querystring are.
So, a spy watching your https traffic knows that you're interacting with news.ycombinator.com (and possibly other things), but they don't know anything that goes after the `/`: which thread, whether you're POSTing or GETting, or of course any of the content.
I have definitely seen some sites using GET for authentication, they tend to be ones that have been around for a long time and haven't been fixed. Can't remember the last time I saw this though.
I'm not sure when easyJet first started using online accounts, but "you can't use some URI query reserved chars" does seem like a strong indicator there used to be a GET involved.
No. GET params in the URL should not have security-sensitive data this wasn't always widely known. Even in HTTPS-everywhere world, there are still security implications.
Early versions of some PHP sites, for example, would pass around auth tokens (think the auth cookie) in a URL. This soon became an obvious problem when users copy-pasted their URLs into forum posts, non-HTTPS URLs were logged by proxies, and web server access logs became gold mines for maybe-still-active sessions.
> must not include the special characters # & + or space.
This annoys me the most, my password contains some of those characters.
Why is this even a restriction or is just poorly developed code?
The CEO says " it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams"
Am I missing something here? This doesn't make sense really.
It makes perfect sense, the company has completely screwed up in a way that's totally unrelated to Coronavirus, and now they're trying to conflate the two issues.
I imagine this data could easily be used for a scam, considering the vast majority of these customers would have had flights cancelled and are probably pending refunds. A simple "Your refund is being processed, please enter the details of the card you paid with" would be very convincing for all those desperate for their money back.
This statement is too funny. For those looking for the quote in the article, you will find it in the duplicate HN post's [0] article [1], of which its comments were merged into this thread.
[0] https://news.ycombinator.com/item?id=23233619
[1] https://www.theguardian.com/business/2020/may/19/easyjet-cyb...
6 months ago I went through every single website in my safari keychain and changed their password, even if the password was already unique.
I also removed my credit card at some point after this from every single website - and changed the card in real life. So even if there is a card number somewhere in a db, it's not valid anymore.
I'm tech savvy and this still took around a day, and it was a pain in the ass but hopefully mitigates some of the fallout from this hack - but to be statistically safe while continuing to use online services, id have to wipe my passwords and cards every few months given the frequency of hacks. I couldn't expect my family to put this much effort into doing this frequently.
The system of holding a central database is completely bust. It's just too juicy a target to keep the hackers at bay.
I really wish there was more effort today spent on changing this centralised paradigm to a decentralised one - my personal data should live on my computer, and my computer only. It should never ever leave it. It should always be hashed.
If there was some way for web apps to be distributed and ran on my own personal computer, with zero knowledge proofs verifying transaction on the third party services side we would seriously reduce the attractiveness of hackers going off these enormous databases. It needs to be as easy to secure this data as possible, and it needs to never be sucked up to somewhere else, and security patches need to be instantly applied over the top of my running kernel - without any hiccup.
Impossibly difficult you will scoff. No one wants to run their own software. They absolutely would if the tech industry put any effort into it. Also the fines need increased massively to incentivise action in this direction. It should be business-ruining if you lose your customers data like this.
Both the BBC article and the incident notice (shared in other comments) contain very few details about the "highly sophisticated cyber-attack".
When such details are omitted I tend to suspect that "highly sophisticated" is sugarcoating some kind of negligence or bad security practices.
Ditto. What if "highly sophisticated" actually means "stumbled upon easyjet.com/backups/latest_db_dump_w_passwords-SENSITIVE.sql"
If EasyJets systems are anything like their customer service, their in-flight food, their baggage handling or their scheduling, this is not surprising.
Partner had trouble doing an online check-in with EasyJet. Some kind of error. Arrived at the airport to be told that even though she has the ticket, she does not have a place. There were ~5 people with her in the same situation. 4 other people did not show up for the flight, so some of them got a seat after all. My partner did not, spent the night in the airport. Took about a year and loads of calling to get a compensation. At the end had to outsource it; the outsourced-compensation-getting ended up costing 200 euros.
Overbooking is actually incredibly common. Every flight has some number of passengers not show up. Airlines prefer to compensate one or two people for the fact that they didn't get a seat, instead of leaving some number of seats empty.
Getting compensated should be practically instant though, and definitely not take a year, so something went terribly wrong there.
This is common. I literally had to take Icelandair (another really terrible budget airline) to court because their engines don't work (really old planes)
Not only did their system have me logged in another flight in another continent (!), they flat out denied I had a claim even though I had to stay put more than 24h, a good amount of that in the plane.
After getting sued, they tried to backhand contact me (not my lawyer) to pay compensation. Court made them pay.
This is all calculated.
> so something went terribly wrong there.
Not really.
Even if you're legally entitled to compensation Easy Jet is famous to let you jump through so many hoops, lie to you, hang you out to dry, let you wait forever until you just give up.
Outsourcing to some company like Airhelp (which, charges 35% of recovered compensation if successful) may be a viable option to just save you the headache, while sticking it to the carrier trying to stiff you.
Another anecdote. I had a EU Lufthansa flight that was cancelled a few hours before departure. That's 600 euros compensation no questions asked, in theory. When transfering the compensation, there was some kind of hiccup with the banks and it didn't arrive. It took me more than 6 months and more than 30 emails with customer service to get the compensation resent. 90% of the replies were "accounting says funds were sent; not our problem". Ended up using EU's out-of-court customer resolution system (recommended): I think that's what caused them to finally react.
Their handling of refunds and cancellations...
And yet still not the worst airline in Europe, Ryanair takes that shitty award for some truly appalling business practises.
At least Easyjet seats are not slabs of hard plastic. Bus seats are significantly more comfortable than Ryanair "seats".
Hey now, EasyJet's in flight food is actually really good.
I always found it interesting how they have much better tea than British Airways.
Is baggage handling specific to an airline? It looks like it's a service provided by the airport.
> Is baggage handling specific to an airline? It looks like it's a service provided by the airport.
Generally you are right yes, it is airport service under one of the operating company of the airport.
However easyJet and other low cost airline have generally a very vertically integrated system where they try to operate almost everything themselves to reduce cost.
Some airport have entire dedicated terminal for them, I would not surprise if they manage also their luggage system in these airports.
It depends on the airport and the airline.
Notice of cyber security incident: https://otp.investis.com/clients/uk/easyjet1/rns/regulatory-...
What I don't see in this article, is how can I (as an EasyJet customer) check if my data was breached?
These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed.
haveibeenpwned.com ?
While I strongly recommend HIBP, the EasyJet hack is not yet loaded into their site. https://haveibeenpwned.com/PwnedWebsites
Wish HIBP accepted PayPal, guess they're being ironic.
What a stupid headline. Just a blatant falsehood in the title of the article. Why are journalists (still) so bad at this?
I recon the more sensationalist they make the title and article the better. It doesn’t matter that it is technically inaccurate. It balances out the typically false response from these companies which usually starts with “We take the security of our customers data very seriously...”
Would it help to see a more "honest" letter of apology from a company? What would that look like?
Clickbait titles is the new journo
> EasyJet said it first became aware of the attack in January.
vs
> The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
So either EasyJet was delayed in their reporting of the breach, or the ICO didn't feel it was urgent to notify 9 million people that their data had been compromised. But it is now 4 months later?
Their official statement says
> we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. We also notified the National Cyber Security Centre and the ICO. We have closed off this unauthorised access.
Maybe the relevant supervising authority didn't find it important to notify those 9 million customers.
> Maybe the relevant supervising authority didn't find it important to notify those 9 million customers.
Which is a problem right? Now it emerges what has been breached. Including credit card data. Surely the prudent thing would have been to warn all their customers immediately to allow them to be on the lookout for malicious use of their data (phishing, etc.) and not wait until they have concluded their investigation.
Oh great, that probably explains the last few emails I got recently kindly telling me what my password is, and I should pay some bitcoin otherwise my weird browsing habits will be exposed to the world.
(edit)Ah no, no mention of passwords being stolen, so I guess it's from somewhere else.
From my experience reporting various GDPR violations is it clear that the ICO does not actually want to enforce the regulation so this is not surprising.
So I just went to easyjet.com and logged in and they don’t prompt to update my password. I wonder if failure to invalidate all accounts is their technical ignorance or if my account was simply not hacked? I assume the ignorance of course.
Since January.
> EasyJet first became aware of the attack in January. It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.
Bull. Shit!
Could be catastrophic, as I have my ID details saved there for quick checkin.
Me too, could be a lot of passports being cancelled and reissued shortly
From https://otp.investis.com/clients/uk/easyjet1/rns/regulatory-...
"Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed"
The following paragraph says 2208 credit cards details were stolen.
Why would reissuing passports help? The old passport is still valid and only the government is actually able to tell whether it's cancelled (as they have access to the passport DB), but for all other intents and purposes (identity verification for banks, etc) the other passport still appears perfectly valid.
Stolen and lost documents are logged in an international data base. I have lost my ID a few years ago. Every now and then I am being asked at borders whether I have found it or it was still lost.
Banks check during the KYC process whether the document ID is on this blacklist. If yes, authorities are contacted.
Hence, once compromised/lost, apply for a new one and tell them what happened with your old one.
In my experience IDs are checked very informally by most companies such as utilities, etc. GDPR access requests usually require a proof of identity and I very much doubt they are checked beyond the details on them matching the account so it can be yet another vector for stealing more data based on the passport. Banks are probably the only place where they may be checked against s lost/stolen DB but it won't prevent you getting your SIM & phone number taken over because someone impersonated you to your mobile carrier.
The question is: who will pay that? It costs around 100 Euro to renew a passport here in Germany.
The individual, as usual. Even if there's some legal recourse the inconvenience and expense will be larger than the payoff. And there's no legal framework to just be compensated by default in such cases.
Why would you need to cancel and reissue any passports? At worst the hackers might have stolen some passport numbers and expiry dates. What exactly could they do with those that would warrant issuing an entirely new passport?
Cancelling and renewing a passport is not a trivial matter either.
Time for datapoint tax, which will reimburse victims of these crimes
Someone could hack themselves constantly and get paid to do it
Yes, there are many criminal ways to make money. It would be nothing new. For example, burning your house or failing business down to make a claim is probably as old as insurance.
Insurance claims are not an entitlement provided by government.
So? It's still criminal. There are plenty of things that are provided by the government that are criminally gamed by a few that still provide a net benefit.
If they can hack themselves then they can hack someone else so the payout would still be justified.
And risk going to prison for a long time.
Pointing out unintended consequences. The rule suggested would tend to increase, however slightly, crimes commmitted.
The number one reason I do not keep CC info, and why I don't fill out details wherever I can.
I don't trust your security.
good luck buying a plane ticket from easyjet without giving them your CC info
There's often an option for whether to store CC info for future purchases. I assume that's what GP is referring to.
I wouldn't be surprised if they stored it anyway though
Some banks can generate a virtual CC ad-hoc, so you could have different CC details per each transaction. It's rare, I wish my bank did it, but it exists.
> I wish my bank did it
You can just use something like Privacy.com to accomplish the same thing.
Sadly, that service is only available for 4.3% of the population.
Just don’t buy from easyjet period. Nothing but bad experiences with them (sample size 1).
Who the hell makes ‘boarding time’ the same as ‘airplane leaves gate’ time :S
Official statement: http://otp.investis.com/clients/uk/easyjet1/rns/regulatory-s...
> Stolen credit card data included the three digital security code - known as the CVV number - on the back of the card itself.
I always thought that PCI-DSS standards mandate that the CVV must never be stored; I get that card number and expiry date may be stored for customer convenience purposes, speeding checkout when returning for a second purchase, but how on earth could they be compliant if they are stashing away CVVs somewhere?
Interesting. Were they storing/operating unsalted plaintext credit card info? I hope not.
Only a couple thousand had their Credit Card details stolen whereas nine million had information stolen. This sounds like they were able to access the database to steal customer information and plant code on the website to scrape any future transactions before the Credit Card information is encrypted in the database.
Credit card information is needed as-is to be able to make transactions so hashing (and thus salting) doesn’t apply. Encryption is the best you can do.
most people do unfortunately
Is it the case for anyone else that your login data is not invalidated? You’d think someone in their org would realize at least to invalidate the auth data?
I managed to sign in without a problem :/
Also on the front page: https://news.ycombinator.com/item?id=23233619 .
> EasyJet said it first became aware of the attack in January.
I thought GDPR required companies to disclose breaches within a few days. What happened there?!
it still baffles me everytime why they wait for so long to admit it, and why there's no accountability for such incompetence.
But they didn't reveal any details about it. They just told it was a highly sophisticated cyberattack.
Guess?
Of course the attacks have to be “highly sophisticated” in order to beat the “world-class” system that “highly paid” EasyJet security experts have put in place to secure customer data, which EasyJet “cares deeply” about.
Enter Admin Password: 12345
Pretty secure, but more likely 345yj3T! or rY4n41R-5t1nK$
"highly sophisticated cyberattack" is just PR speak for "cyberattack" - and successful cyberattacks are far more likely to be the result of negligence from company holding the data than the sophistication of the attackers.
<sound fx=typing> https://www.shodan.io/search?query=mongodb
Oh look, EasyJet huh? I wonder what's in there?
My guess is that some higher-up employee clicked on a bonus.pdf.exe and that's it
covid19 layoffs.docx.exe
free-digital-chloroquine.docx.exe
I once worked with a high level executive that left EasyJet and praised the company on how lean and small the team was. Apparently too lean and too small.
Good, Cheap, or Easy. Pick Two.
EasyJet was the one hacked, the customers got their information stolen from the hack but were not themselves hacked.
This reminds me of "identity theft".
Someone didn't steal my identity, someone stole from the bank using my identity. It should really be called "bank fraud".
A great sketch about this https://www.youtube.com/watch?v=CS9ptA3Ya9E
New to me, but it was suggestive somehow of Mitchell and Web before watching it.
Weird how i just assumed this would be Michell & Webb. I've not seen much of there stuff, but it just felt like it was going to be skit of theres
Perhaps we should let them know they're too predictable! (Ross Anderson rightly ranted on the topic somewhere.)
That term is a brilliant way to redirect blame from the bank/government to you, kudos to whomever coined it.
Unless you are being sued by the bank as the one who stole the money and this happens in another country and the time to claim your innocence is out. Then it’s you who suffers the fraud, not the bank :/ (talking from personal experience of a close friend)
Yes, I had something similar happening. Did your friend get anything paid out? It's still hurting me while it happened many years ago.
Unfortunately, my friend is not able to enter the said country where he once was a resident anymore. Without spending tens of thousands dollars without clear promise of success it seems impossible to resolve this. Perhaps after some long time the debt to bank is cleared. In reality, it is actually the bank that should be sued for all this – they haven’t checked identity properly before giving out loans worth of tens of thousands $. It is not impossible that the bank employee is part of this. I am talking about the state of Israel, btw.
The summary is: fraudster with fake ID featuring real data of my friend but fake photo managed to get loans and credit cards from several banks/companies. Since my friend lef the country, he was not getting any of the post. After years these orgs opened collection cases against my friend. Since he was not in the country, the courts have judged him as debt-evader and allowed collection agency to act against him.
Yeah, I had something similar happen to me with a Swiss bank :( No loans they just emptied out my accounts and stock portfolio (I had lots of FAANG stock)
It’s worth holding them to account - make a constructive complaint here. https://www.bbc.co.uk/contact/complaints/make-a-complaint
Done. I've found are usually quite responsive to these if you make a good case.
Contrast the BBC headline with Reuters’ ”Cyber attack on EasyJet gets details of 9 million customers”. I love the BBC content but the news output seems to be far too focused on number of eyeballs than “facts”/accuracy. I find it infuriating.
The guardian has a much better title: https://www.theguardian.com/business/2020/may/19/easyjet-cyb...
Really tough on an already struggling airline. Wonder if their security team were fully in place recently?
Not really "already" since the attack became known in January, before Covid-19 decimated the industry. Were you suggesting that they were already struggling? They made a profit of over £400M in 2019 so it doesn't sound like things were too bad.
Of course, this news doesn't help them now, but it doesn't seem to me like "poor old EasyJet, down on their luck and now this".
Easyjet have been a main airline within the UK for many many years. They may be struggling because of the current environment but this isn't a small operation who wouldn't have a security team.