EasyJet is facing an £18 billion class-action lawsuit for failing to protect the personal data of 9 million customers. The airline company announced mid-May that the personal information of millions of customers was exposed in a data breach which happened at the beginning of the year. The hacked information includes full names, email addresses and travel data. In addition, the credit card details of over 2,200 people were accessed.
This is one of the biggest data breaches to affect the airline industry. In this post, we’ll outline key lessons from EasyJet’s missteps that every company should be cautious about.
1. Investing in Cybersecurity is not optional
Although EasyJet did not provide detailed information about the cause of the breach, the company described the attack as a “highly sophisticated cyber-attack”. This is not the first massive data breach to affect the airline industry. Cathay Pacific Airways was recently fined £500,000 for a data breach which affected 9.4 million customers over a four year period. According to the ICO, the breach was particularly concerning due to several basic inadequate security measures which gave easy access to hackers.
When you are dealing with personal or sensitive data, it is your responsibility to make sure there are appropriate security measures and controls in place to safeguard people. We recommend engaging with experts to conduct a thorough risk assessment of areas in your business susceptible to attacks. At Kazient, our consultants analyse our client’s business processes from start to finish to make sure they are safeguarding client’s data at every turn.
Basic controls that should be in place include anti-virus protection, restricted access to protected files, strong passwords, multi-factor authentication and an assessment of risk from third-party vendors. If a data breach happens, you want to be able to demonstrate that you took necessary steps including engaging the help of GDPR consultants and cybersecurity experts to protect personal data.
2. How you handle a data breach is important
How you handle a data breach is important for rebuilding trust and protecting your reputation. Under GDPR, if your company has fallen victim to a data breach, it is mandatory to report it to the appropriate investigative body within 72 hours. After this, notifying customers and helping them by providing advice is equally important. Although EasyJet immediately alerted the ICO about the data breach, customers were only informed four months after the attack.
In their statement, the airline company said,
There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risks of potential phishing.
A data breach can have a significant impact on the lives of customers if precaution is not taken. From phishing emails to scam messages, victims of a data breach are also susceptible to identity theft if personal details have been accessed. In EasyJet’s case, credit card information with full names was exposed during the breach. This means thousands if not millions of customers have been vulnerable to further hacks in the past four months.
To avoid devastating scenarios for your customers, ensure that you have a response plan in place if a data breach does happen. Determine communication channels and ways to alert customers in advance. In addition, how will you assess the impact and damage of the breach? Do you have steps in place to mitigate future risks and minimise damage? What are the steps you will take to support affected customers? These are all questions you need to think about and hire experts with experience in this field to guide you through. We provide an award-winning Data Protection Officer service specifically tailored to our client’s individual needs to make sure your compliance needs are met.
3. Data breaches are costly
EasyJet is currently facing an £18 billion class-action lawsuit over its failure to protect customer data. PGMBM, an international law firm renowned for group litigations is representing the customers impacted by the breach. If successful, EasyJet will be liable to pay £18 billion, a payout of £2000 per affected customer.
Tom Goodhead, Managing Partner of PGMBM said,
This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers. This is personal information that we trust companies with, and customers rightfully expect that every effort is made to protect their privacy. Unfortunately, EasyJet has leaked sensitive personal information of nine million customers from all around the world.
In addition, customers in Northern Ireland have also initiated group litigation against EasyJet. These lawsuits are separate from the fine EasyJet may be issued if found guilty of not having adequate security controls by the Information Commissioner’s Office. Under GDPR, companies are liable to be fined up to 4% of global turn over for a data breach.
Whether you operate a small, medium or large business, it is important to understand that only will a data breach severely impact your reputation, it is also extremely costly!
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.