EasyJet – The Web(hackers)’s Favourite Airline

19th May 2020 Media Law

EasyJet has today revealed that the personal data of 9 million customers was accessed in what it deems was a “highly sophisticated” cyber-attack on the airline. Of those 9 million customers affected, 2,208 have had their credit card details stolen.

Airlines are no strangers to being targeted by cyber hackers; indeed it was only last summer that the Information Commissioner’s Office announced it would be fining British Airways more than £183m after hackers stole the personal data of half a million of the airline’s customers in June 2018. The main reason the ICO gave for issuing such a large fine against British Airways was the fact that the airline was found to have had poor security arrangements in place to protect their customer’s data.

Whilst it appears that EasyJet have complied with the data breach reporting requirements of the GDPR (having promptly notified those who are affected and the ICO), it still remains to be seen whether EasyJet had the required safeguards in place to protect their customer’s data. However, one thing is certainly clear – the number of people affected by the EasyJet cyber-attack is significantly higher than those affected by the British Airways breach. This alone will have grabbed the attention of the ICO’s investigation team as their attitude is that, generally, the higher the number of customers affected, the greater the impact a breach can have.

So what happens to EasyJet now?

Firstly, the airline will be required to document the facts relating to the cyber-attack, its effects, and all of the actions they have taken in order to remedy the breach. The ICO will look at this documentation to ensure that EasyJet have complied with their accountability responsibilities under the GDPR.

Then begins the more lengthy process of investigating whether or not the breach was as a result of human error or a systemic issue. EasyJet have stated (perhaps prematurely) that there is “no evidence that any personal information of any nature has been misused”. Regardless of this, the ICO will commence their in-depth investigation of EasyJet’s cyber security measures, and will be particularly keen on establishing whether there was anything EasyJet could have done further to safeguard their customer’s data prior to the breach happening. For example, were EasyJet’s back-up files password protected, did they have adequate anti-virus protection in place, did they use unpatched internet-facing servers etc.

If the ICO feels that EasyJet did not take adequate steps to protect the data of their customers, or in managing the breach, the ICO may take regulatory action and ultimately issue a fine which could be as high as 4% of EasyJet’s global annual turnover.

Having said all this, EasyJet may find itself in the incongruous but fortunate position of being spared some mercy by the ICO due to the current situation with Coronavirus.

The ICO have stated that in conducting their investigations, they will act knowing there is a public health emergency and will take into account the economic impact and affordability before issuing fines – they have even gone so far as to state that in current circumstances, “this is likely to mean the level of fines reduces”.

In fact, despite issuing its fine against British Airways last July, the ICO have extended their notice of intent to fine the airline to May 2020. This raises the question of whether the ICO will have the resolve to bring large cases against well-resourced organisations as they are clearly taking a more light-touch approach to the amount of fines issued due to the financial impact of the Coronavirus. It certainly wouldn’t look good on the ICO if they were to issue huge fines against airlines whose fleet of aircraft has been grounded and who have had to put the majority of their staff on furlough.

Whilst we cannot say for certain how much leniency the ICO will afford to EasyJet, one conclusion to draw from this is that, at least from a regulatory fines standpoint, now couldn’t have been a better time for EasyJet to have suffered a data breach.

We're Social

Hannah Ife is an Associate Solicitor located in Londonin our Data Protection department

View other posts by Hannah Ife

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest