Another UK airline suffers a malicious cyber-attack, exposing customer data. Will a fine from the ICO be landing on their runway shortly? 2020 has not been an easy year so far for the airline industry. Of course, global travel has essentially grounded to a halt following the lockdowns imposed to help curb he Covid-19 pandemic. Many airlines have had to either furlough staff or simply make them redundant so that they are able to stay afloat as revenues drop. This is not the only issue facing airlines this year, as yet another Airline has suffered a large data breach, opening them up to enforcement action from the ICO and lawsuits from the public.
At the beginning of 2020, the low-cost airline EasyJet was a target of malicious cyber-attack that ended up exposing the details of up to 9 million customers could have been accessed by the hackers, including their name, email address, payment information and travel details (essentially location data). EasyJet was aware of the hack in January and informed the ICO immediately, however it was not until the end of May that customers were informed of the breach of their data. EasyJet had stated this was only because their investigation into the matter needed to prove that customers had been affected by the breach.
This breach could have serious affects to EasyJets customers as it appears that payment information including credit card numbers including the CVV number had also been exposed in the hack.
EasyJet has stated that this hack was likely targeted at obtaining the companies intellectual property rather than looking for information that could be used for identity fraud. Even if this is the case, it is impossible to know if anything will in future happen to those details and shows a clear weakness in the systems and protections in place at the organisation to protect customers personal data. The ICO has said that they are investigating but as of yet have not announced any enforcement action.
EasyJet should be worried however, as there has been very recent precedent set for an airline that has failed to adequately secure it customers data, as Cathay Airlines discovered in March 2020, receiving a £500,000 fine. This fine was exceptionally large in the context it was given, as it was being given out under the old UK 1998 Data Protection Act where £500,000 represents the maximum possible fine. EasyJet could be subject to a much larger penalty under the new UK Data Protection Act of 2018 and GDPR, where fines of up to €20m or 4% of the company’s global annual turnover, whichever is greater. For reference EasyJet had revenue of around £6billion in 2019, so based on that figure a fine could end up far surpassing the €20m threshold if they seek to hand out the maximum penalty possible. Again for more context, another UK based airline, British Airways, was also handed a €200m fine for breaching the GDPR in August 2019, after they also suffered a hack which compromised their 500,000 of their customers personal data.
Not only is there a risk of a multimillion pound fine from the ICO, there is also the danger of a lawsuit that could cost potentially billions, according to several headlines that have appeared over the last couple of weeks. As a lawsuit looking to claim around £2000 per customer affected in the breach has made the claim in the High Court. Under article 82 of the GDPR, it states that data subjects have a right to receive compensation for inconvenience, distress, and loss of control to their personal data. Whilst the ICO as mentioned earlier can issue a fine as punishment to an organisation for failing to secure the personal data they are responsible for, they cannot award compensation for victims, which is why this matter has been taken to the courts.
What could EasyJet have done to prevent this from occurring, the facts will become clear once an investigation by the ICO is concluded detailing what occurred and what measure had been taken by the company. But now this is the 3rd airline the ICO has had to investigate due to hackers breaching a company’s security measures, so big questions will have to be asked about the cyber-security measures being implemented in the industry.
Both the fine and court case combined, coupled with reputational damage from this and the ongoing economic effects from the Covid-19 pandemic signal to me that it’s not going to be clear skies ahead for EasyJet for a while.