EasyJet reveals that some nine million of its customers have been affected by a “highly sophisticated cyber-attack”
Nine million EasyJet customers have been hacked according to a recent BBC news article. In January this year EasyJet became aware of a cyber attack which had affected millions of its customers and is now, based on the advice of the ICO—coming public in order to minimize potential phishing attempts. So far it has been noted that email addresses and travel details have been stolen and that 2,208 customers also had their credit card details accessed.
Although investigations are still underway, EasyJet reportedly told the BBC that it was only able to notify customers whose credit card details were stolen in early April.
“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.” The BBC article quotes EasyJet.
At present, EasyJet has found no evidence that any personal information has been misused, although the ICO is investigating the breach and may take action accordingly. One should note that, regardless how the attackers use the personal data compromised in a breach, the risk to the rights and freedoms of the data subjects involved plays a key role when assessing the consequences of the incident and deciding the measures that should be implemented
What should be the response from EasyJet upon the breach?
The steps that should be taken upon a breach with the aim of reducing the impact of the potential harm are the following:
- Apply any necessary measures to contain the breach where possible.
- Inform the DPO.
- Assess the risk of the breach and identify relevant elements such as categories of data and data subjects affected plus remedial actions considered or taken.
- Report the incident if necessary:
- The ICO should have been notified within 72 hours after having become aware of the breach, unless it was unlikely to result in a risk to the rights and freedoms of natural persons.
- The customers should be notified unless EasyJet has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. This is not the case because travel and credit cards details were involved, which may comprise sensitive data and address to further attacks such as phising. For example, under the current global health emergency, travel details may involve information about the customer testing positive for COVID-19.
- Evaluate the response and recovery to prevent future breaches.
It should also be noted that the reason why most data breaches take place is human error, therefore providing training to the employees is paramount.