What is the background to the EasyJet breach?
EasyJet, the UK’s largest and most popular airline, has confirmed that an intricate cyber attack has taken place which has led to hackers having accessed the travel details and personal information of 9 million of its customers.
The budget airline did not say when the security incident happened or how the hackers managed to access its systems, but the company has confirmed that it has referred the incident to the Information Commissioner’s Office. There are reports that suggest that EasyJet had been aware of this particular attack in January, however it was only able to inform affected customers in April.
A spokesperson for the company described the hack as originating from “a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted” and that they could “only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected”.
As per European Data Protection law, companies are given 72 hours to inform regulators of a security incident – with the ICO seen last year setting down a record £183 million fine on British Airways after the booking details of 500,000 customers were left exposed. Hackers were then able to siphon off thousands of credit card numbers after installing skimming malware on its website. In contrast, Cathay Pacific were also fined pre-GDPR (General Data Protection Regulation) for mishandling of their customers data and got off lightly with a £500,000 penalty.
The airline has already been devastated by the coronavirus pandemic, much like the rest of the aviation industry. EasyJet was one of the first airline companies to ask the UK government for a bailout to prevent their collapse. It is likely that the company will, similar to British Airways, be facing a massive fine from the Information Commissioner. Under GDPR (General Data Protection Regulation), if EasyJet is found to have mishandled customer data, it could face fines of up to 4% of its annual worldwide turnover which would be massive.
Those affected by the breach have been advised to be wary of phishing attempts from hackers, where fake links are sent typically by email to steal personal data. Ray Walsh, a digital privacy expert at ProPrivacy, believes that hackers are looking to take advantage of the coronavirus pandemic with lots of flights being cancelled and that “anybody who has ever purchased an EasyJet flight is advised to be extremely wary when opening emails from now on”.
For more reading on databreach claims and the level of compensation awards see our webpage: Data Breach Claims
What data has been breached?
The data accessed by the hackers is allegedly comprised of personal details that you input when booking a flight or holiday, including name, email address, origin and destination, departure date, booking reference number and transaction amount. However, the Information Commissioner has also been told by EasyJet that the credit card details of 2,208 passengers were also taken.
It is alleged by the airline that the passengers whose card details were accessed were told in April, and easyJet has provided credit and identity monitoring to ensure their accounts are safe. The company also says it does not appear that anyone has suffered financial harm so far – but is that good enough?
In the current climate, with heightened tensions around financial security and the protection of personal data this is a massive blow to the airline industry and the UK as a whole given that EasyJet is used by so many of us.
Boris Cipot, senior cyber security engineer at Synopsys, states that “while EasyJet has reported that there’s no evidence that the accessed data has been misused, no one can be certain that the data won’t be misused in the future” before going on to advise “customers to call their bank and credit card companies to find out what the next steps are to ensure their accounts are secure. This may require the cancellation and replacement of affected cards. Affected account passwords should also be changed immediately”.
The UK National Cyber Security Centre (NCSC) has also provided a statement to advise affected customers:
- Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information;
- Change your password on your EasyJet account;
- Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department
Am I entitled to compensation as a result of this data breach?
At the moment, given how recent the breach was announced by the budget airline, it remains to be seen the full extent of the cyber attack and how customers are to be affected.
Easyjet Compensation for Databreach
Depending on the data that has been accessed you could be entitled to £thousands in compensation against Easyjet.
Our solicitor Ronnie Hutcheon explains why you could be entiteld to compensation:
‘Even if it is just your name, and email address, this breach of data may be a passport for cyber criminals to gain greater personal information on you to crack what they need to access your online bank accounts, cards or other criminal activity on you and your family.’
In the coming weeks and months, the Information Commissioner’s Office and the National Cyber Security Centre will be thoroughly investigating the attack, including the circumstances that led to the information being accessible. Following this investigation, if it emerges that EasyJet’s cyber-security was not up to a good standard then it is inevitable that they will face significant claims for compensation from their affected customers for failing to protect their personal information which will be paired with a substantial fine from the ICO.
Our advice is to contact us now to register your interest to claim.
Further reading on databreach claims see below:
- Morrisons Supermarket – personal breach of data – payroll by disgruntled employee
- British Airways Breach of Personal Data
- Dixons Carphone Admits Huge Data Breach
- UK Home Office data breach
- Ancestry.com data leak
- Yahoo data protection hack
- Vodaphone data breach
- Butlins data hack – stolen details (‘34,000 guest records may have been accessed by hackers’);
- Ticketmaster – recent data security incident.
- Greenwich University (serious breach – fined by the Information Commissioner’s Office)