Significant data breaches feel like they are arriving now with ever-increasingly regularity. The latest breach to hit the headlines was with EasyJet. The budget airline announced on 19 May 2020 that it had suffered a ‘highly sophisticated cyber-attack’ that has affected approximately nine million of its customers.
Email addresses and travel details had been stolen and 2,208 customers also had their credit and debit card details ‘accessed’. EasyJet became aware of the attack in January 2020 and has informed the UK's Information Commissioner's Office (ICO). It went public now to warn affected customers that they should be on the lookout for phishing attacks.
We ask how could such a breach have occurred and what are implications for EasyJet?
What are the GDPR implications?
The last thing that the travel industry needed right now was a data breach of this size and scale and the implications for EasyJet could be significant. As we pass the second anniversary of GDPR, we expect the data breach to be the subject of regulator focus. Yet in the UK at least, some of the biggest fines announced for non-compliance with GDPR remain unpaid.
Both British Airways and Marriott International had been facing significant fines, announced in 2019. Yet the ICO has delayed the collection of the these fines and has also indicated that it is going to take a lighter touch regarding fines, given that coronavirus has caused great uncertainty and financial pressures. This is by no means a reason to reduce focus on data security however and at no stage has the ICO suggested it will let penalties slide by completely.
In a statement in response to the EasyJet breach, the ICO said:
“People have a right to expect that organizations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary.”
We’ll await the ICOs verdict.
Close the gaps in cybersecurity
Even if EasyJet is spared a sizable fine for breach of GDPR, the breach clearly shows that gaps in its cybersecurity defenses were exploited. A financial penalty is one element of GDPR, but there is also the issue of being publicly cited as an organization that failed to protect its customers’ data. As and when the travel industry returns to a more even footing, the impact of this on reputation and in turn the bottom line, is yet to be revealed.
It is highly likely that EasyJet had invested in some of the best cybersecurity solutions the market had to offer, but cybersecurity has never only been about technology. Training and processes are just as important.
Recent Clearswift research with public sector employees revealed that 77% have been given no instructions in how to recognize ransomware. 16% have had no cybersecurity training whatsoever and 13% just once. 25% had either not heard of or did not know what phishing is. It would be surprising if those figures were significantly different in the private sector.
It isn’t clear how the EasyJet breach took place but assuming that it had good cybersecurity solutions in place, then it must have been due to a failure in process at some stage, leaving it vulnerable to attack.
Cybersecurity is something all organizations need to keep under constant review. If its people, technology, or processes cannot withstand potential cyber-attacks, it needs to step up the program to compensate.