London-based airline EasyJet revealed on Tuesday that nine million customers’ personal information was stolen in what it called a “highly sophisticated” cyber-attack.

In addition to email addresses and travel details being accessed, 2,208 of those customers affected also had their credit card information stolen. EasyJet clarified that no passport details were uncovered in the breach, and that it would contact those affected.

It is not yet known how the historically large data breach occurred, but EasyJet said that it had “closed off this unauthorised access” and reported details of the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre.

The size of the breach raises the possibility of EasyJet being forced to pay significant compensation, as was the case for British Airways after the personal information of 500,000 customers was stolen. In that case, the ICO fined the airline £183 million.

A similarly sized fine would likely be a significant blow to EasyJet, which has already said it expects to make a loss of around £275 million this year as the COVID-19 pandemic continues to drive demand for air travel through the floor.

Reacting to the news, Tony Pepper, CEO of Egress, called the breach “another stark reminder that airlines must take a comprehensive risk-based approach towards protecting customer data”.

“For organisations, it remains crucial they continue to prioritise data security at all times, but especially when there’s widespread introductions of new systems as there has been in response to sustained remote working during the COVID-19 pandemic.