easyJet data breach throws data protection under scrutiny
easyJet’s £18bn data breach is set to be the biggest legal claim in UK history. Industry expert Bill Mew offers the key insights brought to light on risk appreciation and cyber crisis preparedness.
The recent easyJet data breach is shaping up to be a prime example of how data protection can go spectacularly wrong, setting both a new record and precedent. With the records of 9 million individuals lost and a claim being brought for £2000 each, it became clear when papers were filed on 22 May that this would become the largest privacy claim in the UK ever.
It has now also been revealed that over 10,000 claimants have registered with PGMBM in the last three weeks via a dedicated website to help victims get justice. This means that not only is the claim now viable and most likely to go ahead, but it also means that the claim has also become the fastest growing claim of its kind in UK legal history as well as the biggest.
Remarkably, EasyJet has now launched a £450m rights issue valued at 15% of its share capital. Having already raised £1.7bn addition funding during the pandemic and paid £174m dividend to shareholders in March, this move is questionable given current legal ongoings.
What can we learn from this?
Customers in all sectors, not just tech, are becoming increasingly discerning and demanding. Research into what they expect of companies, rather than governments, has found that data security and privacy has surpassed even diversity and sustainability. Indeed, cybersecurity is now the main concern consumers expect firms to take a stand on, and will be unforgiving of any failing. And with good reason.
Impact for individuals
Under Article 82 of the EU General Data Protection Regulation (EU-GDPR), easyJet customers whose data was compromised by the breach have a right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.
Personal data can be abused in a variety of ways. Stolen passwords can access other systems and accounts if reused – which many of us are guilty of. Email, postal address and date of birth can all be used in phishing attacks where cybercriminals pretend to be your bank, a credible utility company or other trusted entity to make you click on a malicious link or provide information like bank details or passwords. Along with social profiling, this kind of spoofing can lead directly to fraud and identity theft, and while it is a common tactic that cybercriminals use to target older or less digitally savvy people – it can happen to anyone.
Where and when you’re going away and who you’re going with is your business, not anyone else’s. Your information could not only be used by blackmailers, but also by burglars who could target your home while you’re away.
How firms can protect themselves
Prevention is always better than the cure – investing in cybersecurity is essential. However, as with easyJet, prevention and detection don’t always work. Many organisations take out cyber insurance to cover themselves. The reality, however, is that most policies include so many exclusions that it is almost impossible to claim for any incident, making the policies not worth the paper they’re written on.
The answer is cultural. Most individuals, departments and organisations are managed and incentivised based on revenue and profit-centric ROI (return on investment) metrics. But ROI frameworks leave little or no room for effective risk appreciation. In fact, there’s really only one senior manager focused on return on risk (ROR) instead of ROI: the CISO (Chief Information Security Officer). That difference in priority may put the CISO at odds with the rest of the management team. They may become isolated, and even scapegoated when things go wrong – even if their warnings were ignored.
It’s as if the senior management team is watching a TV where only two of the three colour feeds are working (revenue and profit). They can see what’s happening across the business, but they don’t get the full picture. When major risks do appear, out of the blue, they can be visible to the CISO but not to the others.
Reforming company culture to shift from an all-ROI focus to more of an ROI/ROR balance will be a challenge. However, two recent major disruption events, the 2008 global financial crisis and the recent pandemic, coupled with headlines about fines from GDPR regulators in Europe and the FTC in the US, as well as litigation like the easyJet case in all regions, are making executive teams take risk and in particular cyber risk more seriously.
Cybercriminals are opportunists and have seen the recent shift to home working as a massive opportunity. While potential added vulnerabilities and a wave of attacks yet to reveal themselves in breach discoveries and disclosures, a long term upward trend has already existed that we should all already have been concerned with.
We will inevitably see more cyber incidents, more fines and more claims, with cyber insurance policies not paying out or not paying in full – Norsk Hydro had extensive cover, but when it suffered a ransomware incident that cost it over €70 million, the payout was €3.6 million – 6% of the total.
In addition, attempts to combat financial crime have led to SMCR and measures to combat health and safety abuse to corporate manslaughter provisions, both of which seek to not only hold companies, but also their directors to account. While many will see the GDPR as draconian, and claims such as the easyJet one as alarming, it is probably just a matter of time before we see the sanctions for privacy failures being extended to company directors as well.
However, unlike credit risk in the global financial crisis and health hazard during the pandemic, the cyber threat is not only very visible, but organisations still have time to address it.
What can you do?
Having effective cyber defences as well as backups, designed to recover systems and maintain business continuity, aren’t just ‘nice to have’; they are a legal obligation under GDPR which mandates the need for “regularly testing, assessing and evaluating” cybersecurity processes.
We recommend conducting scenario planning, penetration testing and back-up and recovery drills, as well as fully immersive simulation exercises to test if your crisis response team (people with technical, legal, reputational and social media responsibilities) can communicate and collaborate well under pressure. Realistic rehearsals are needed, rather than lecture-based training, as stress significantly impacts our situational awareness. Such simulation experience may also help senior management appreciate cyber risk and better understand the need for crisis preparedness.
Crisis management textbooks suggest there’s a ‘golden hour’ after an incident goes public in which you have a chance to save the brand. With most incidents, as the victim of crime, if you act quickly and show empathy for your customers then the press and public should have sympathy for you. Unfortunately, this doesn’t work for cyber incidents as the press and public will blame the company – rather than the hackers – for any loss of personal data.
Instead, you need to act rapidly, conducting expert forensics to ascertain the nature and scope of any incident. Then use this not only to fix the breach but also to build a legally defensive narrative and a brand defence plan.
- Before things go wrong: Seek to change your performance measures to adopt an ROI/ROR balance, and regularly test, assess and evaluate your cybersecurity processes, including your backups. Also, make sure that you have a cyber incident response plan and use realistic simulation exercises to test it.
- And if things go wrong: Be prepared for the fact that you’re going to get the blame, and don’t treat a cyber incident like any other crisis; implement a forensically-based legal and reputational response.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...