EasyJet aircraft grounded at Manchester Airport

EasyJet aircraft grounded at Manchester Airport Source: AFP

EasyJet faces billions in potential liability over data breach

  • EasyJet budget airline experienced a massive data breach of over 9 million customers’ personal info, which could result in hefty civil liability claims
  • EasyJet could be punished billions of pounds following revelations the budget airline withheld information on data breach from victims
  • Latest major data breach impacting the aviation industry signals cybersecurity threats still not dealt with well 

Organizations (and individuals) are more vulnerable online than ever before, as a huge shift towards remote working and increased dependence on online collaboration and communication tools mean that hackers and other bad actors have a heightened opportunity to attempt cyberattacks for malicious purposes.

Large companies with copious amounts of data gained from customers have long been a favored target, and since 2013 more than 14.7 billion data records have been compromised, according to the Thales Group.

In the 2020 Thales Data Threat Report – Global Edition, it emerged that nearly half (47 percent) of organizations experienced a breach or failed a compliance audit in the past year.

One such organization was low-cost carrier EasyJet, which last week revealed that it had experienced a cyber-intrusion that resulted in the exposure of the personal information and flight details of nine million EasyJet customers, including the credit card information of 2,208 passengers.

EasyJet says that no passport details were exposed, and that the budget carrier had already taken steps to notify and provide support for the 2,208 customers whose credit card details were breached. “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” EasyJet CEO Johan Lundgren said in a statement.

“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams,” he continued. “As a result, and on the recommendation of the Information Commissioner’s Office (ICO), we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

Other customers began receiving email notifications from the company last Friday, with one such email seen by The Register reading:

“Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020. Your passport and credit card details were not accessed, however information including where you were travelling from and to, your departure date, booking reference number, the booking date and the value of the booking were accessed.

We are very sorry this has happened.”

Although the breach officially came to light on 19 May, it turns out that EasyJet’s systems were actually accessed by the sophisticated attackers in January. EasyJet did not inform the customers who had credit card information stolen until early April, several months after the attack.

This could have given the attackers a three-month window to misuse the credit card information, despite EasyJet keeping the Information Commissioner’s Office (ICO) in the UK appraised of the situation from the beginning.

The potential security and privacy risks from this large data breach has led to a law firm, PGMBM, issuing a class action lawsuit against EasyJet on behalf of the nine million customers whose information was leaked. The group action is worth GBP18 billion– equivalent to a GBP2,000 payout for each affected passenger if the suit is successful.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers,” said PGMBM managing partner Tom Goodhead.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, EasyJet has leaked sensitive personal information of nine million customers from all around the world.”

This incident is just the latest in a string of cybersecurity lapses to hit the aviation industry in recent years. In September 2018, British Airways experienced a data breach that eventually affected over 500,000 victims.

Similar to the EasyJet incident was the case of Cathay Pacific, which only reported the exposure of over nine million customers’ personal data (including passport numbers, Hong Kong ID numbers, credit card info, and personal information such as nationalities and birthdates) to the ICO in October 2018. The airline had first detected the intrusions in February 2015, and had withheld the information until after the unauthorized breaches ended in May 2018.

Cathay Pacific were eventually slapped with a US$650,000 fine, the maximum allowed under British law before the enactment of the General Data Protection Regulation, or GDPR. Under the new regulations, EasyJet will likely face a hefty fine like the one British Airways received post-GDPR. British Airways was forced to defer their GBP180 million fine in the wake of the troubles faced by the aviation sector both before and during the COVID-19 pandemic.

This latest data breach highlights once again the critical importance of organizations working with cybersecurity experts to shield both their customer bases, and themselves from further liability, over the long run.