EasyJet has admitted that the personal data of approximately nine million customers has been affected by a “highly sophisticated cyber-attack”.
On Tuesday, the company said that customers’ travel details and email addresses were accessed and it would contact those affected.
It has been reported that, of the 9 million people affected, 2,208 had credit card details stolen. As one of the largest breaches to affect any UK company, commentators are speculating on the size of the fine EasyJet may face; a punishment that would compound the ongoing challenges presented by the coronavirus pandemic. British Airways was fined £183m last year following the personal data of 500,000 customers being stolen by hackers.
EasyJet confirmed it had reported the incident to the Information Commissioner’s Office (ICO), the UK’s data supervisory authority, and the National Cyber Security Centre.
With the vast majority of organisations being forced to implement widespread remote working, and cyber-criminals ratcheting up their fraudulent scams, the EasyJet breach serves as an extreme example of the increased risks organisations face.
With most staff likely to be working from home or in different circumstances, personal data held by businesses could become more vulnerable to data breaches. Alongside this, data relating to employee health during the pandemic may be subject to special security requirements.
Businesses are implementing contingency planning, with staff working from home and using domestic internet and possibly personal devices to access cloud-based software. This makes it more important than ever to keep data safe and secure, as fines for data breaches will still apply.
The General Data Protection Regulation (GDPR) provides strict operating boundaries for businesses processing personal data about individuals. There is a statutory obligation to notify the regulator of certain breaches which place an individual’s personal data at risk. It also gives wide ranging powers to the ICO, who can impose high penalties for breaches.
Tackling the threat of coronavirus is taking businesses into uncharted territory. Whilst data protection law doesn’t stand in the way of homeworking, or the use of personal devices, it demands even greater attention to security measures.
The human element is often the reason for data breaches and without direct supervision and colleagues to consult, these may be more likely to happen.
The other major threat to data security during the crisis is the handling of individual information about staff and visitors who have travelled to high risk areas, their symptoms, test results and when self-isolation has taken place. This is personal data protected by the GDPR, but where it concerns health it may be special category data under Article 9 of the GDPR, which requires special security measures and increased documentary requirements.
Such information should be collected and used only as absolutely necessary in managing risk and should not be retained unless essential. The collection, management and sharing of such information should be set out in an appropriate policy document so organisations know what data they hold, their legal justification for holding such data and how it should be protected and shared responsibly.
The ICO has published advice to help organisations in facing up to the data management challenge. While they say they will be pragmatic about matters, such as speed of response to information requests during the crisis, there is no suggestion that they will accept reduced standards of data security.
Understandably, organisations will be struggling to keep pace in this fast-changing environment, but it’s important to make sure safe data protection practices are implemented. The ICO has the power to impose significant fines and the damage to corporate reputation can be immense.
The message is to be pragmatic, whilst maintaining appropriate data security standards, and there are simple steps that can be taken by all businesses to achieve this balance.
For more information on any of the above, or how we can help you or your business, please contact Ben Jackson, or call 0191 232 8345.