After announcing a massive data breach of customers’ personal information, easy Jet is going to face hefty civil liability claims and a probable GDPR fine
argument: Legal Area
di Sergio Guida
In this tought time for the airlines (their idle planes have been waiting in a gruelling game of survival) easy Jet, the UK's largest airline, is facing a further problem. Some days ago the low-cost carrier revealed that it had “been the target of an attack from a highly sophisticated source,” resulting in a significant data breach.
Leaked sensitive personal data includes full names, email addresses and, most disturbing of all, travel data, including departure dates, arrival dates and booking dates. In particular, the exposure of details of personal travel models can involve risks to the security of individuals and is a serious invasion of privacy.
In a "Notice of cyber security incident", given through RNS, the news service of the London Stock Exchange, the Board of easy Jet announces that they have suffered a cyber-attack and an unauthorized third-party succeeded in gaining access to their systems: "our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed. Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed." "Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed. Action has already been taken to contact all of these customers and they have been offered support".
The security incident is monumental and probably will take the lead for the biggest breach of 2020 with a staggering number of customers affected.
In addition, even though once easy Jet learned of the attack, on January 2020, they notified the UK's National Cyber Security Centre and the ICO (the UK's Data protection authority) about the breach, the company only revealed this catastrophic lapse to individuals “once the investigation had progressed enough that we were able to identify whether any individuals had been affected, then who had been impacted and what information had been accessed”, as they write in their website’s ”infoalert”. “In April, we notified a small group of customers whose credit card details had been impacted and offered them support including a dedicated helpline and monitoring”.
So now easy Jet states that they are notifying affected customers and that all of those affected will receive the notification by May 26th, 2020.
Easy Jet is trying to douse the fires of this grim chapter in data insecurity: “there is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”
This phishing risk entails that opening any suspicious email purporting to be from easy Jet is simply a risk not worth taking, resulting in a peculiar circularity: anybody who has ever purchased an easy Jet flight is advised to be extremely wary when opening emails from now on and, more generally, to reset passwords on a regular basis.
For the company’s part, customers whose credit card details were compromised have received an email with a unique code, ostensibly to access services provided by a third party.
This incident is just the latest in a long line of travel and tourism industry data breaches. Airline companies have a rather patchy record in the field of data security: for instance, Cathay Pacific Airways experienced an attack on a similar scale, with a hacker accessing the personal information of 9.4 million customers over a four-year period and also that case was sanctioned by the ICO, resulting in a pre-General Data Protection Regulation fine of £500,000.
Last year British Airways was fined £183 million by the ICO, in light of the more punitive powers of the GDPR, for failing to take adequate steps in protecting the personal information of some 380,000 customers (as reported in this journal, too). As with easy Jet, the company adopted a strategy of understating the effect of it all, notwithstanding that victims were exposed at an immediate risk of fraud and scams, where criminals could use exposed data to pose as easy Jet and lead people to dangerous websites. As we have seen with other big data breaches in the past, victims could also be at risk of being duped into handing over money or access to accounts to fraudsters posing as the airline itself.
Even though latest major data breach impacting the aviation industry signals cybersecurity threats still not dealt with so well, easy Jet CEO Johan Lundgren said “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated”. Indeed, the firm has not given any details on the nature of the breach.
The potential security and privacy risks from this large data breach are very likely leading to a significant number of compensation claims as well as, given the scale of the incident, the ICO could issue a fine, too.
Pursuant to article 82 of the EU General Data Protection Regulation (EU-GDPR), the user has the right to compensation for inconveniences, difficulties, disturbance and loss of control of his data.
The GDPR can allow fines to be as much as 4% of the company’s global annual turnover for the preceding year, which can mean fines even much higher than in the British Airways example and further there is also the cost of legal action to consider.
Few days ago, a “global leader in group litigations” (PGMBM law firm) filed in the High Court of London a class-action claim with a potential liability of £18 billion, which equals approximately £2,000 per impacted customer. It is worth to note that the firm is the court appointed leading law firm in the group litigation surrounding British Airways’ data breach.
Source: Regulatory News Service (RNS), the news service of the London Stock Exchange.