The attack exposed the email addresses and travel details of about 9 million people, including 2,208 customers whose credit card information was also accessed, easyJet said.

While there’s no evidence the information has been misused, the airline said it has closed off the unauthorized access and will contact affected customers no later than May 26.

“We will continue to invest in protecting our customers, our systems, and our data,” easyJet chief executive Johan Lundgren said in a statement. “We would like to apologize to those customers who have been affected by this incident.”

easyJet urged customers to be on the lookout for communications purporting to come from the airline given the risk of phishing by hackers after the attack.

Lundgren said there’s a “heightened concern” about personal data being used for internet scams amid the coronavirus pandemic, which forced easyJet to ground the majority of its aircraft in late March.