Cybercriminals stole the personal information of 9 million customers, including 2,200 credit card numbers, from British budget airline easyJet, the airline said today (May 19). [EasyJet said in an official statement that "an attack from a highly sophisticated source" gave it access to "the email addresses and travel details of approximately 9 million customers." These affected customers will be contacted in the next few days."

"For a small percentage of customers (2,208), credit card details were accessed," the statement said. These customers have already been contacted and offered assistance."

Details on what credit card information (e.g., three- or four-digit security codes) was compromised were not immediately available. However, passport numbers were not compromised, the easyJet statement said.

Affected easyJet customers are not likely to be at increased risk of identity theft, but they are likely to see more spam and possibly more phishing attacks as a result of their email addresses being exposed.

"We advise our customers to remain vigilant as usual, especially when receiving unsolicited email," according to an easyJet statement. We also advise customers to be wary of any communication purporting to come from easyJet or easyJet Holidays."

The Register found several tweets dated April 2 reporting that they had received an email informing them of an easyJet data breach regarding their credit cards; the BBC reported that easyJet learned of the breach in January and notified customers whose credit cards were compromised in early April. The BBC reported that easyJet learned of the breach in January and notified customers whose credit cards had been compromised in early April.

If you have an online account with easyJet, it wouldn't hurt to change the password on your account, even though there is no indication that your password was compromised. One of the best password managers will help you do that.

Also, if EasyJet tells you that your credit card was compromised in this incident, check your recent statements and notify your card issuer immediately if you see anything suspicious.

EasyJet could face huge fines if it is found to have inadequately protected its customers' personal data, as defined by the European General Data Protection Regulation (GDPR). British Airways had to pay a $225 million fine to the UK Information Commissioner's Office in a 2018 data breach affecting 500,000 customers.

But easyJet may get off scot-free: Wired UK noticed that the ICO had told complainants that it would not enforce data protection regulations during the coronavirus crisis; the airline, which reportedly carried 28 million passengers in 2019, has since the end of March effectively suspended operations.