EasyJet is the latest airline to be targeted by hackers as 9 million of its customers have had their email addresses and flight details stolen, whilst 2,208 customers have had their credit card details breached. As a result, a class-action law suit has been started against EasyJet under article 82 of the General Data Protection Regulation.
EasyJet announced on their website on 19 May 2020 that it had been the target of a cyber-attack from “a highly sophisticated source” that affected 9 million customers. They immediately informed the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
In response, a class action law suit has been started (you can join here) which seeks to obtain compensation for those customers affected in accordance with Article 82 of the GDPR which allows any person who has suffered damage to claim compensation from the controller liable for the damage (i.e. EasyJet).
EasyJet has said that no passport details were stolen nor was there evidence that cyber criminals were misusing the hacked personal information. This does not mean that the information will not be misused at some point in the future.
The ICO, in response to this cyber-attack, said that “[p]eople have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary”.
Large companies will be expected to have complex and secure IT systems in place with these systems having been further upgraded when the GDPR was introduced. That said, even if a company has the appropriate cyber security in place, hackers find other ways to breach a company’s data.
It is not clear how this data breach occurred, but in many cases are due to a failure in ‘process’ and staff training which left it vulnerable to the attack, including where an employee inadvertently opening a phishing email. We must wait until we have the full details from the report that the ICO eventually publish.
If it turns out that the attack was the result of a failure to process data correctly or because of staff deficiencies, EasyJet will still be on the hook for sanctions arising out of the GDPR which are likely to be substantial. As already mentioned, the ICO expect an organisation such as EasyJet to handle customers personal information “securely and responsibly” – this does not appear to have happened in this case.
If EasyJet is found to have had inadequate systems/processes/training in place which allowed this data breach to happen, then the ICO has the power to levy a large fine against it.
However, there have been indications from the ICO that it will reduce the fines it imposes on companies as a result of the current economic circumstances. British Airways and Marriot International are facing significant fines for data breaches but the ICO has delayed their collection due to Covid-19.
Cathay Pacific also saw a massive data breach in October 2018. Clearly, the airlines and hotel groups are targets for hackers as they hold troves of personal data, which includes passport details and debit and credit card details.
That said, even if EasyJet escapes paying a fine and/or is given more time in which to pay the fine, this has still damaged their reputation very badly. The cyber-attack really could not have happened at a worse time for EasyJet.
It will be interesting to see if EasyJet escapes the worst of the sanctions that the IPO could impose on it. It is also worth pointing out that the British Airways data breach of 2018 turned out to be a lot worse than they had initially admitted. Keep an eye out for future developments because this case is far from being over.