20 May, 2020
In a statement released yesterday, 19 May 2020, easyJet revealed that the personal information of approximately 9 million customers was accessed in a highly sophisticated cyber-attack. The personal information accessed included e-mail addresses and travel details. Credit card details of 2,208 customers were also accessed.
easyJet has confirmed that it reported the breach to the Information Commissioner's Office (ICO) and has been working with the National Cyber Security Centre to close off the unauthorised access to customer details. easyJet has already contacted those customers who had credit card details compromised and is in the process of contacting all remaining customers.
This data breach is one of the largest to affect a company in the UK following the introduction of the General Data Protection Regulation (GDPR) in May 2018. The GDPR tightened existing data protection law and gave the ICO greater powers to sanction organisations found in breach of the law. This data breach also comes nearly 10 months after the ICO announced its intention to fine British Airways £183m after a cyber attack which affected 500,000 customers.
The coronavirus pandemic means that this is a turbulent time for easyJet and the rest of the airline industry. To add to this turbulence, easyJet will now be in the midst of an investigation by the ICO into how the data breach occurred and how hackers were able to access the personal records of 9 million individuals meaning that its data security and data protection compliance will be under intense scrutiny. The ICO has confirmed that there is a live investigation ongoing and it will take robust action where necessary.
The announcement of this data breach comes after the ICO published guidance setting out how it will regulate during the coronavirus pandemic. In this guidance, the ICO confirmed it would be a flexible and pragmatic regulator taking into account the impact of the potential economic or resource burden its action could place on organisations. Going further, the guidance states that the ICO will take into account the economic impact and affordability of any fines issued. It will therefore be interesting to see, in the event breaches of the GDPR are discovered during the ICO investigation, how the ICO decides to apply its available sanctions.
Unfortunately for easyJet, fines from the ICO are not the only financial worry it will face it light of this data breach. Affected customers also have the ability to claim compensation for any financial loss and distress caused as a result of the data breach. Given that there are 9 million affected customers, the combined effect of regulatory fines and compensation claims from individuals could easily see the cost of the data breach run to billions of pounds.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.