On 19th May 2020, EasyJet admitted that the personal details of nine million customers had been stolen and 2,208 customers had their credit card details accessed in a sophisticated cyber-attack. The airline knew about the EasyJet data breach as far back as January.
Under the General Data Protection Regulation (GDPR), organisations must tell the ICO – the UK’s data protection regulator – about a personal data breach within 72 hours. And, if the breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”, organisations must also inform those people without undue delay.
So why did EasyJet take four months to warn customers that hackers had their personal information?
EasyJet customers are at risk
EasyJet is trying to defend itself by claiming that “there is no evidence that this information has been misused by criminals”. Instead, the airline claims that its investigation into the attack suggests that hackers were targeting “company intellectual property” rather than information that could be used in identity theft. It believes a group of Chinese hackers might be behind the attack, and that this group has previously targeted travel records and other data valuable for counterintelligence.
But EasyJet can’t possibly know the extent of the threat.
A data breach can result in both financial and/or identity theft, and the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Even an email address can be used to extract additional data and cause harm. Furthermore, hackers often sell stolen data to other criminals to use in future scams. As such, the impact of data breaches goes much further than financial losses. Many victims go on to suffer from stress, anxiety and distress, and the effects of a data hack might not be immediately apparent.
Plus, 2,208 customers had their credit card details accessed. This is an undeniable threat. And, while EasyJet informed these customers about the hack in early April, that’s still a very significant delay.
Has Covid-19 changed things?
EasyJet claims that, since it became aware of the incident, it has now become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams.
It is true that hackers will likely try to take advantage of people who are cancelling flights because of the pandemic. But, while COVID-19 gives cybercriminals an extra opportunity to contact and attempt to exploit customers, we would argue that this risk has always existed. As such, we find it hard to accept this justification for the delay.
EasyJet claims it wasn’t able to warn customers before now
As the details of this case emerge, EasyJet has also justified the delay by claiming that it took time to understand the scope of the attack and to identify who had been impacted.
This might very well be the case (and the ICO’s investigation into the breach should establish if this is true). But, if EasyJet cared about the safety of its customers, it could have issued a general warning. This would have allowed people the opportunity to put additional security measures in place until the full details were known. By not doing this, EasyJet left millions of people vulnerable for months.
The ICO has raised concerns about phishing following the EasyJet data breach
On the recommendation of the ICO, EasyJet eventually alerted customers and warned them of the risk of phishing. Phishing is where a fraudster poses as a legitimate organisation (e.g. EasyJet), the police, or someone else you trust to trick you into handing over sensitive information such as usernames, passwords and financial data.
The impact of a phishing scam can be devastating, and we have seen cases where the financial losses only start to occur three to six months later. This is often because the data stolen is used in batches over time. As such, EasyJet customers affected by this breach must be on their guard. The ICO has advice on its website on how to spot phishing scams.
It is also possible that customers of EasyJet might have experienced increased phishing attempts over the past few months because of the breach. If this has happened to you, we encourage you to let us know.
Has EasyJet put you at risk?
EasyJet warned customers whose credit card details were stolen in early April. All other customers will have been notified by no later than 26th of May 2020. If you have been a customer of EasyJet, and haven’t yet received this communication, it is worth checking your spam folder in case it has been directed there.
At Keller Lenkner, we have been contacted by many EasyJet customers who are concerned about the breach of their data. We believe that EasyJet may have failed to uphold these customers’ data security rights. Not just because of the initial hack, but because of the delay in informing customers.
As such, we are now registering victims of this breach to a no-win, no-fee group litigation action against the airline. Group actions can be a powerful tool and can have a bigger impact than a single claim.
Those involved in this breach booked flights from 17 October 2019 to 4 March 2020.
To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.
There are no costs to register and no obligation to proceed.