Ralf Helkenberg (Research Manager, European Privacy and Data Security)

If weathering the economic effects of the COVID-19 storm was not enough of a challenge, UK budget airline easyJet now must deal with the fallout of being victim to a major data breach. The email addresses and travel details of 9 million customers, as well as the credit card details of 2,208 customers, were exposed in a highly sophisticated cyberattack.

The data breach appears to be the latest in a series of attacks on airlines by suspected Chinese hackers, who target the bulk theft of travel records and other data.

easyJet first became aware of what was happening in late January, and took immediate steps to manage the incident, including notifying the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). In early April it informed those whose credit card details had been exposed.

The company claims there is no evidence that any of the personal information accessed has been misused. Because of the increased incidence of phishing attempts during the coronavirus outbreak, the company, on the advice of the ICO, is now taking steps to inform the rest of the 9 million passengers in case targeted.

Airlines and Data Breaches

When it comes to cybersecurity, the airline industry doesn’t have a great record, with several high-profile breaches in recent years. In 2018, Hong Kong’s Cathay Pacific Airways disclosed that hackers had accessed information on 9.4 million customers. Air Canada and Delta Airlines suffered similar data breaches.

The ICO announced last year that it intended to fine British Airways a record £183 million after a data breach exposed the booking details of 500,000 customers. Hackers had exfiltrated thousands of credit card numbers after installing skimming malware on its website.

Regulatory Steps

The data breach also raises the possibility of easyJet incurring a fine. The ICO sent out a clear message when it proposed record-setting penalties on BA and Marriot International: companies must ensure that their information security is in order and review and update this on a regular basis if they want to avoid significant penalties.

The ICO will be particularly keen to know whether easyJet had “appropriate technical and organisational measures to ensure a level of security appropriate to the risks.”

GDPR fines are, however, discretionary rather than mandatory, and where issued must be “effective, proportionate and dissuasive” for each individual case. The ongoing COVID-19 pandemic, however, adds a new dimension.

In recently issued guidance, the ICO said all enforcement actions will take into account “economic impact and affordability” and as a consequence it expects to issue lower fines.

Given the economic difficulties the airline industry now finds itself, there is probably little appetite for the ICO to impose a sizeable GDPR fine when the sector is already on its knees. A final fine against BA has still to be set, with the likelihood we will see a significant reduction from the headline figure in last year’s notice of intent.

Customer Trust

The extent of the damage from this data breach has yet to be seen, but it’s certain that customer and stakeholder confidence will be shaken as a result. easyJet may not have been obliged under the GDPR to notify customers whose basic booking details were compromised — only where the breach poses a “high risk to rights and freedoms” — but not having been transparent and honest earlier with customers could backfire.

Already facing customer anger over not obtaining refunds on their cancelled flights, sugar coating the breach may create more negativity and further diminish trust.

Rebuilding Trust After a Data Breach

Given the steady frequency of cyberattacks it is safe to say that data breaches are no longer a question of if, but when. A data breach will affect consumer trust and impact business reputation. The way in which organisations respond can go a long way to restoring that trust.

The faster the response, the greater the chances customers will react favourably. Keeping quiet about a data breach will only harm business reputation when the facts emerge.

Consumers are willing to forgive, but their trust can only be regained if organisations are responsive and transparent. This includes keeping customers informed about the steps taken to secure their data, as well as the preventative measures to ensure there are no repeats of the security breach.

 

Join us in our Future of Trust webcast the 2nd of June to learn how the digital enterprise of the future can engender trust among its customers and across the supply chain, despite a backdrop of business and technology transformation. Although trust is a foundational topic for all business and technology conversations, we will bring a focus to the event with an emphasis on topics such as security, privacy, compliance, risk, ethics, and social responsibility.

Sharing