In January 2020 EasyJet suffered a complicated cyber attack on its IT systems. It was so complicated that it took months to unravel what data had been accessed. By April EasyJet were aware of the scope of the breach, that the personal data of 9 million customers had been taken, including credit card details of just over 2,000 of those.
On 19 May 2020 the security breach was reported on the BBC so that the 9 million affected customers could be wary of phishing attacks.
The process must start to work better than this. How many phishing attacks had already happened between January and 19 May 2020 based on the EasyJet data? We will never know but why would the hackers wait if that was their intention?
UK GDPR states that a mandatory security breach report should be made to the Information Commissioner within 72 hours of becoming aware that there had been a breach. It also provides for notifying those affected if there is a risk that they will suffer detriment as a result of the breach.
The breach is under investigation by the Information Commissioner’s Office so a report will be published in due course. It will be interesting to read the findings into the breach reporting.
Mandy Webster, Data Protection Consultant