EasyJet passengers whose card details were stolen in a “highly sophisticated cyber-attack” say they have been left frustrated and in limbo by the airline’s response.
Some 2,208 customers had their card details taken, but email addresses of nine million were also accessed by the hackers.
Samantha Burt, from Eastbourne, was told in early April that fraudsters had taken her card information.
“To wake up and find out I am more likely to be a target, because they have more information on me than other customers is a bit of a worry,” the 28-year-old told Radio 5live’s Wake Up To Money.
“I’ve been in complete limbo since 2 April.”
She said EasyJet’s response had been “really frustrating”, having waited on a dedicated phone line for an hour to get more information, but learning little.
She took it on herself to contact her card provider and change all her passwords.
That is the advice customers are receiving from EasyJet. Those whose card details have been taken are also being offered a 12-month membership to a credit file checking service to allow them to monitor any suspicious use of their identity.
Ms Burt described it as a “nuisance” to have to constantly keep an eye on her file through no fault of her own.
Fraudsters can use personal details to build up enough information to access accounts, take out loans in someone’s name, make purchases, or sell on to other criminals.
Another frustrated victim was Finlay Hamilton, from Kinross. “I’m disappointed. As a massive travel company you expect your details to be safe,” the 19-year-old said.
“I’d like to know that my bank account is safe to use, to know that for definite would be good.”
He expected some kind of compensation, but that is unlikely in these circumstances.
Generally, victims of a cyber-attack are only entitled to be reimbursed for any financial losses they suffer as a result of their card being compromised.
Blogger Helen Dewdney, who has written a book on how to complain, said it would be hard to prove any further distress or loss, but people could contact the company with any evidence, and ultimately take it to the financial ombudsman or small claims court if they were unhappy with the response.
EasyJet said it had become aware of the “highly sophisticated” attack in late January, but was only now required by the authorities to inform all nine million of those affected about the breach.
“It took time to understand the scope of the attack and to identify who had been impacted,” the airline told the BBC.
It would not comment on speculation over the source of the hack.
Security experts said it was vital that customers were proactive in changing passwords and taking care over unsolicited emails claiming to be from EasyJet.
“Ensure that passwords are reset and are strong and unique. Only visit the EasyJet website directly, rather than through a link in an email, and ensure that it is verified using https,” said Morten Ruud, from Norwegian app security company Promon.
“If users find that the password they had previously been using is one they use on multiple websites, ensure that all sites that use that same password are also changed.”