Budget airline EasyJet has admitted falling victim to a cyber-attack that exposed the personal information of nine million customers.

The company said a “highly sophisticated attack” exposed millions of records, featuring personal data and travel itineraries. What’s more, the details of 2,208 customer credit cards were also disclosed during the hack.

The sheer volume of hacked accounts isn’t the only worry, as EasyJet has also admitted only coming clean with the information now – despite the attack actually being discovered in January. This delay, it claimed, was because it needed time for an investigation to progress enough “to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”

EasyJet was only able to inform credit card holders that their details had been disclosed at the beginning of April. All the other impacted customers were told at the end of May.

If there is some solace for affected customers, though, it’s that EastJet’s report claimed it was targeted by cyber criminals trying to access its intellectual property – and not to access customers’ personal data for use in identity theft.

However, impacted customers are still being warned to stay on the lookout for phishing attacks, which could now have much more credibility as a result of the data loss. Cyber criminals could, for example, send emails purporting to be from EasyJet, and include within them the names of specific destinations that recipients had visited. EasyJet has therefore warned its customers to exercise caution with regard to any communications purporting to come from the company.

These warnings were repeated by the Information Commissioner’s Office (ICO), which published advice on its own website on how to spot a phishing scam. In response to the EasyJet breach, the ICO said it was conducting an investigation of its own, and re-affirmed its ability to “take robust action where necessary” if it finds that any company has not handled the personal information of its customers “securely and responsibly”.