EasyJet revealed on May 19, 2020, that it had been the subject of a sophisticated cyber-attack. According to the airline group, nearly nine million customers' email addresses and travel details were accessed globally, with 2,208 customers' credit and debit card details (including each card's security code) being accessed. EasyJet has also declared that there is no such thing as a free flight.
Easyjet’s reputation will almost certainly be harmed as a result of a large-scale data hack involving a household name.
Easyjet will be investigated by the Information Commissioner’s Office (ICO), as well as other relevant agencies. In addition, it might face a £18 billion group litigation claim as a result of the breach.
For violations of the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 (‘DPA 2018’), the UK Information Commissioner Office (‘ICO’) may levy fines of up to 4% of global revenue or £17 million, whichever is greater. Many may recall that in July 2019, the ICO announced its first intention to fine under GDPR and the DPA 2018.
After the personal information of half a million customers was compromised, British Airways was fined £183.39 million, and Marriott was fined £99.2 million for a breach that exposed approximately 339 million guest records worldwide, of which 30 million relates to individuals in the European Economic Area. The final decisions on both proposed fines have not yet been made public.
While the ICO stated at the start of the Covid-19 epidemic that it will review reported occurrences in a “empathetic and proportionate” manner, since the aviation industry is one of the most hit during the pandemic, the amount of customers affected by the EasyJet data breach is enormous.
Despite Easyjet’s claims that the attack was sophisticated, penalty notices issued by the ICO in the past (including a recent fine levied against Cathay Pacific) indicate that the ICO is likely to assess the level of sophistication of the attack in light of the business’s resources and compliance practises.
It’s also unclear how much the ICO will believe EasyJet’s justifications for why the event was not disclosed sooner, given that suspicious activity was first identified in January. Controllers must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a data breach.
PGMBM, a UK firm specialising in group litigation, filed a claim form in the London High Court on May 22, 2020, seeking a group litigation order, which would allow PGMBM to handle the claim on behalf of those affected individuals who choose to ‘opt in’ during a set period (as opposed to the ‘opt out’ style representative claims in Lloyd v Google  EWCA Civ 1599).
Google was granted permission to appeal Lloyd v Google earlier this year, and the Supreme Court decision is not expected until later this year at the earliest. If Mr Lloyd is successful in his claim, the case could provide much-needed insight into how damages in data breach group action would be calculated.
With individuals becoming more aware of their data subject rights and specialised companies widely marketing group litigation claims in the wake of large-scale data breaches, more group litigation claims are likely to arise in the next 12 -24 months in reaction to data breaches.
Small and large businesses alike are vulnerable to sophisticated cyber-attacks, particularly during the present epidemic, when most businesses will have a component of their employees working remotely. It is usually suggested that organisations assess and update their information security practises on a regular basis.
The National Cyber Security Centre also offers helpful advice on minimising the impact of cyber security incidents, managing security risk, protecting against cyber-attacks, detecting cyber security events, and detecting cyber security events.
When suspicious activity in an IT system are discovered or reported, businesses should remember that the 72-hour reporting window begins when it is reasonably certain that a data breach has happened. If the deadline cannot be fulfilled for any reason, organisations must be prepared to explain why.