EasyJet victim of massive cyber attack
EasyJet has reported to the Information Commissioner’s Office (‘ICO’) and the National Cyber Security Centre that is has been the subject of a ‘highly sophisticated’ cyber security breach affecting close to 9 million customers.
It became known to the airline in January 2020 that sensitive data, including email addresses, travel details and credit card details had been ‘accessed’ by cyber criminals. The credit card data even included the CVV digits usually found on the rear of the card. Few further details have been released about the nature of the breach of the motives of the hackers. EasyJet have confirmed that it has ‘closed off [the] unauthorised access’.
Some 2,208 customers were notified of the breach in April where their credit card details had been compromised. EasyJet state the reason for the delay was that it ‘took time to understand the scope of the attack and to identify who had been impacted’. The remainder of the customers affected should be notified by 26 May, four months after the initial breach.
Those affected may now find they are targeted by phishing attacks as a result of their data being leaked. These email attacks usually include links to fake websites requesting the victim enter further sensitive and private data. The BBC have reported that phishing attacks have risen significantly during the Covid-19 pandemic, with Google reporting that it is now blocking more than 100 million phishing emails per day. It is of concern, in this particular case, that hackers will be taking advantage of those having to cancel flights due to the global pandemic.
An ICO investigation into the breach at EasyJet is ongoing. A spokesperson for the ICO noted that ‘people have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary’. The breach is reportedly one of the largest suffered by a business in the UK and under the General Data Protection Regulation (‘GDPR’) EasyJet faces fines of up to 4% of its annual worldwide turnover if the ICO find it has mishandled the data of those affected. Fines anywhere near this size could be crippling for the business at a time where airlines are already feeling financial strain.
This breach is the latest in a series of attacks on airlines, with British Airways and Air Canada being affected only 18 months prior. In 2018 the ICO fined British Airways £183 million and it is reported that compensation payments to those affected could reach up to £3 billion.
Click here to find out how Brett Wilson LLP’s privacy lawyers can assist you if you have been the victim of a data leak.
Articles are intended as an introduction to the topic and do not constitute legal advice.