easyJet suffers data breach involving nine million customers

In news that will no doubt alarm many of the airline’s passengers, easyJet plc (easyJet) has confirmed that it has suffered a serious data breach affecting nine million customers as the result of a cyber-attack.  In addition to certain personal data including email addresses and travel details, the credit card details of 2,208 customers have apparently been impacted and the UK Information Commissioner’s Office (ICO) has been informed.

It is reported that easyJet first became aware of the incident in January, but was only able to inform customers whose credit card information had been compromised at the beginning of April.  In a statement to the stock market issued on 19 May 2020, easyJet confirmed that, while there is no evidence that any personal data has been misused, on the advice of the ICO, it is communicating with affected customers to alert them to the possibility of “phishing” attacks and advise them regarding protective steps to minimise the risks of this.

This is the latest in a series of personal data breaches to beset the airline industry in recent years.  For example, in July 2019, the ICO issued a notice of its intention to fine British Airways £183.39 million in respect of certain breaches of the General Data Protection Regulation (GDPR), (although the final amount of the fine is yet to be confirmed).  Data controllers can be fined up to €20,000,000 or, in the case of undertakings, up to 4% of global annual turnover for serious breaches of the GDPR. The British Airways fine relates to a cyber incident which is thought to have started in June 2018 and led to a personal data breach involving around 500,000 British Airways customers.  The ICO investigated the incident and discovered that British Airways’ security arrangements were inadequate in a number of respects. 

More recently, in March 2020, the ICO fined Cathay Pacific Airways Limited (Cathay Pacific) £500,000 for various security failures between October 2014 and May 2018 which led to a breach of its customers’ personal data.  The ICO found that the security measures taken in respect of Cathay Pacific’s computer systems were seriously deficient in numerous ways, resulting in the personal data of over 111,500 UK customers, together with the data of around 9.4 million other individuals around the world, being compromised following a brute force attack. 

The ICO investigated the Cathay Pacific incidents under the Data Protection Act 1998 (DPA98), the data protection legislation in force in the UK prior to the GDPR and the UK Data Protection Act 2018.  Cathay Pacific was found to have committed a serious breach of the DPA98, which required data controllers to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, resulting in the ICO issuing the maximum civil monetary penalty possible under the previous legislation.

Regarding the most recent incident, easyJet has reassured customers that it takes the safety and security of their information very seriously.  This incident is, however, clearly significant and will no doubt be subject to further investigation and close scrutiny by the ICO to determine exactly how a breach of such magnitude occurred.