A cyber-attack on budget airline EasyJet that has resulted in the exposure of the email addresses and flight details of 9 million of its customers and the credit card details of 2,208 of them is a reminder to all of the vulnerabilities, risks and obligations in relation to personal data.
Two years on from the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), and the Network and Information Systems Regulations 2018 (NIS) coming into force, there is an expectation that cybersecurity programmes exist in organisations to protect data. Implementation of programmes that adequately protect against potential attackers and ensure compliance with the GDPR, DPA and NIS remains a key challenge faced by businesses operating in the UK and beyond.
What are the data protection obligations?
Organisations must comply with both the GDPR and DPA, which require businesses to implement security measures to safeguard the personal data that they process. This means they must:
- Keep personal data secure and only permit third parties access to the personal data subject to sufficient guarantees regarding the security of the processing services.
- Implement technical measures e.g., firewalls and anti-virus programs.
- Implement organisational measures e.g. policies and procedures relating to cybersecurity such as restricting access rights appropriately on a need to know basis, related to business functions.
- Protect against unauthorised or unlawful use of the personal data and against, loss, destruction and damage.
Sanctions can be imposed when a business has failed to implement measures to safeguard systems and data from potential attackers and for inadequate responses to attacks.
In response to the breach, EasyJet CEO Johan Lundgren has stated that they “take the cyber security of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated”.
It remains to be seen whether EasyJet could face a hefty fine.
Depending on which specific obligations under the GDPR are breached, companies can face fines:
- of up to 2 % of the total worldwide annual turnover of the preceding financial year (for example, for not implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk; or not notifying the breach to the supervisory authority when required (Article 83(4)(a) GDPR)) and
- of up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (for example, for not complying with the data protection principles set out in Article 5 such as Integrity and Confidentiality) (Article 83(5)(a) GDPR).
Notification of a personal data breach
The GDPR requires that, in certain circumstances, controllers who suffer a personal data breach must notify data protection authorities (in the UK – the ICO) and individuals whose personal data has been compromised without undue delay and no later than 72 hours after having become aware of the breach (Article 33 GDPR). Whether such notifications are required will depend on an assessment of the level of risk resulting from the personal data breach.
When assessing the level of the risk, controllers must carry out an objective assessment and take into account a combination of factors including the severity of the potential impact on the rights of individuals and the likelihood of these occurring. Organisations that have factors documented in internal guidance means they are more likely to facilitate decision making in what can be stressful situations.
Controllers must also document their risk assessment and maintain a log of personal data breaches whether they determine they are notifiable or not. Internal guidance should ideally include an assessment template for documenting risk assessments.
The attack on EasyJet, described by the airline as originating from a highly sophisticated source, has already been reported to the ICO and the National Cyber Security Centre (NCSC).
Acting swiftly to avoid further damage
EasyJet have commented that since they have become aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. EasyJet has reported that on the recommendation of the ICO, it started to contact those customers whose credit card details had been accessed and offered them appropriate support. Presumably, EasyJet and the ICO concluded that in this case there is a high risk to the rights and freedoms of individuals, which is the threshold laid down by Article 34 of the GDPR for data breaches to be notified to individuals.
Article 34 of the GDPR requires companies that suffer a breach to take measures and inform individuals about the measures taken or proposed to address the breach.
EasyJet stated that it had taken immediate steps to halt the attack and seal off the breach as soon as it became aware it had been compromised. It has also engaged a security forensics team to investigate the incident. The GDPR outlines effort to mitigate damage suffered by data subjects as one of the factors that should be taken into account when determining the amount of a fine (Article 83 GDPR). In addition, the ICO has stated that the degree of co-operation with them is a factor relevant to the issuing of fines.
For organisations such as EasyJet, the benefits of focussing on customers in a user-friendly and practical manner can be significant in managing the risk of complaints. While EasyJet say there is no evidence that the accessed data has been misused, there is still the risk that the information could be used later. Other measures that EasyJet may introduce include offering credit monitoring to customers. In addition, EasyJet confirmed that no passport details have been exposed however; they should monitor the situation closely and take any appropriate action.
The effect of this breach is yet to be seen, but it is certain that stakeholder confidence may be shaken as a result – a status during the COVID-19 pandemic all would like to avoid.
As we know, data security and being ready to deal with such incidents and personal data breaches are vitally important.
The key lessons from our experience of assisting clients with security incidents are to prepare and test well in advance. Factors to consider include in advance of a potential breach:
- Involve a team of experienced lawyers with proven security/personal data breach expertise to advise on how to draft an incident response plan (and rehearse the plan so that when the breach happens, you know how to respond – trying to do this once a breach has occurred is likely to cost more time and money).
- Ensure a risk assessment methodology (for deciding whether/who to notify) exists.
- Create and implement appropriate policies, processes and training.
- Conduct vulnerability tests to identify any weaknesses.
- Record security measures/incidents information (notifiable or not) to demonstrate accountability.
Our team can help with breach preparedness, response planning, training and reports to supervisory authorities and affected data subjects.