EasyJet has today reported a massive data breach, which could prove costly for the airline.
In this post:
EasyJet’s cyber security incident
It has been announced that EasyJet was the target of an attack from a “highly sophisticated source.” The airline has disclosed the incident to the Information Commissioner’s Office (ICO), and has taken steps to respond to and manage the incident by engaging forensic experts to investigate the breach.
EasyJet’s investigation has found that the email addresses and travel details of approximately nine million customers were accessed. The airline says that customers who were impacted will be contacted no later than May 26, 2020.
The airline also found that for 2,208 customers, credit card details were accessed. The airline has already contacted all those customers who were impacted by that, and has offered support.
The airline notes that there’s no evidence that personal information of any nature has been misused, though the airline is still contacting impacted customers to advise them of protective steps that can be taken to minimize any risk of potential phishing.
In particular, the airline is advising customers to be alert of any unsolicited communications, and to be cautious of any communication purporting to come from EasyJet or EasyJet Holidays.
EasyJet could be looking at a huge fine
With GDPR in the UK, companies can face massive fines for any security breaches, which can total up to 4% of annual turnover. The biggest ever fine was a £500,000 fine to Facebook.
When it comes to travel brands, some may recall that after British Airways’ data breach, the airline was looking at a fine of up to £183m, equal to roughly 1.5% of turnover. Meanwhile for Marriott’s data breach, the company was looking at a fine of up to £99 million.
We’ll have to wait and see what kind of a fine is decided on for EasyJet, if any.
Bottom line
EasyJet has revealed a huge data breach that involves about nine million customers, though fortunately credit card details were stolen for just over 2,200 people, which is a small percentage of customers impacted.
Those with a credit card breach should have already been contacted, while others should be contacted by May 26.
A law firm, PGMBM, has filed a group action lawsuit over this data breach.
EasyJet originally quoted that if my flight was cancelled I can change it to "any flight across our network."
After my flight my cancelled they adjusted the terms and conditions to "Within Europe"
Is that legal? Can they adjust the terms of sale after sale is complete? And after it got cancelled?
@Belilinda
Or they could just hire someone?
Willie Walsh maybe, but I seriously won't rule out Michael O'Leary for hiring hackers that's for sure. Or maybe it was Richard Branson.
@Belilinda, Your comment made me smile.
@Eskimo interesting idea but they said it was an attack from a “highly sophisticated source.” Given the parlous state of BA’s IT, I can’t imagine they can even spell cyberattack, let alone execute one.
Interesting, how to bankrupt an airline.
Hack them during COVID-19!!
The fines are more than enough to destroy liquidity. Could this be foul play by Ryanair or IAG????
Breach happened in January, apparently.
They kept this under wraps for a long time.