CEO and founder Crisis Team
Columnist
Share this content

easyJet data breach throws data protection under scrutiny

easyJet’s £18bn data breach is set to be the biggest legal claim in UK history. Industry expert Bill Mew offers the key insights brought to light on risk appreciation and cyber crisis preparedness.

25th Jun 2020
CEO and founder Crisis Team
Columnist
Share this content
Airbus A319 of EasyJet arrival to PRG Airport in Prague on July 21, 2019. Easyjet is a the second largest low cost airliner in Europe.
istock_rebius_aweb

The recent easyJet data breach is shaping up to be a prime example of how data protection can go spectacularly wrong, setting both a new record and precedent. With the records of 9 million individuals lost and a claim being brought for £2000 each, it became clear when papers were filed on 22 May that this would become the largest privacy claim in the UK ever. 

It has now also been revealed that over 10,000 claimants have registered with PGMBM in the last three weeks via a dedicated website to help victims get justice. This means that not only is the claim now viable and most likely to go ahead, but it also means that the claim has also become the fastest growing claim of its kind in UK legal history as well as the biggest.

Remarkably, EasyJet has now launched a £450m rights issue valued at 15% of its share capital. Having already raised £1.7bn addition funding during the pandemic and paid £174m dividend to shareholders in March, this move is questionable given current legal ongoings.

What can we learn from this?

Customers in all sectors, not just tech, are becoming increasingly discerning and demanding. Research into what they expect of companies, rather than governments, has found that data security and privacy has surpassed even diversity and sustainability. Indeed, cybersecurity is now the main concern consumers expect firms to take a stand on, and will be unforgiving of any failing. And with good reason.

Impact for individuals

Under Article 82 of the EU General Data Protection Regulation (EU-GDPR), easyJet customers whose data was compromised by the breach have a right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

Personal data can be abused in a variety of ways. Stolen passwords can access other systems and accounts if reused – which many of us are guilty of. Email, postal address and date of birth can all be used in phishing attacks where cybercriminals pretend to be your bank, a credible utility company or other trusted entity to make you click on a malicious link or provide information like bank details or passwords. Along with social profiling, this kind of spoofing can lead directly to fraud and identity theft, and while it is a common tactic that cybercriminals use to target older or less digitally savvy people – it can happen to anyone.

Where and when you’re going away and who you’re going with is your business, not anyone else’s. Your information could not only be used by blackmailers, but also by burglars who could target your home while you’re away.

How firms can protect themselves

Prevention is always better than the cure – investing in cybersecurity is essential. However, as with easyJet, prevention and detection don’t always work. Many organisations take out cyber insurance to cover themselves. The reality, however, is that most policies include so many exclusions that it is almost impossible to claim for any incident, making the policies not worth the paper they’re written on.

The answer is cultural. Most individuals, departments and organisations are managed and incentivised based on revenue and profit-centric ROI (return on investment) metrics. But ROI frameworks leave little or no room for effective risk appreciation. In fact, there’s really only one senior manager focused on return on risk (ROR) instead of ROI: the CISO (Chief Information Security Officer). That difference in priority may put the CISO at odds with the rest of the management team. They may become isolated, and even scapegoated when things go wrong – even if their warnings were ignored.

It’s as if the senior management team is watching a TV where only two of the three colour feeds are working (revenue and profit). They can see what’s happening across the business, but they don’t get the full picture. When major risks do appear, out of the blue, they can be visible to the CISO but not to the others.

Reforming company culture to shift from an all-ROI focus to more of an ROI/ROR balance will be a challenge. However, two recent major disruption events, the 2008 global financial crisis and the recent pandemic, coupled with headlines about fines from GDPR regulators in Europe and the FTC in the US, as well as litigation like the easyJet case in all regions, are making executive teams take risk and in particular cyber risk more seriously.

Systemic implications

Cybercriminals are opportunists and have seen the recent shift to home working as a massive opportunity. While potential added vulnerabilities and a wave of attacks yet to reveal themselves in breach discoveries and disclosures, a long term upward trend has already existed that we should all already have been concerned with.

We will inevitably see more cyber incidents, more fines and more claims, with cyber insurance policies not paying out or not paying in full – Norsk Hydro had extensive cover, but when it suffered a ransomware incident that cost it over €70 million, the payout was €3.6 million – 6% of the total.

In addition, attempts to combat financial crime have led to SMCR and measures to combat health and safety abuse to corporate manslaughter provisions, both of which seek to not only hold companies, but also their directors to account. While many will see the GDPR as draconian, and claims such as the easyJet one as alarming, it is probably just a matter of time before we see the sanctions for privacy failures being extended to company directors as well.

However, unlike credit risk in the global financial crisis and health hazard during the pandemic, the cyber threat is not only very visible, but organisations still have time to address it.

What can you do?

Having effective cyber defences as well as backups, designed to recover systems and maintain business continuity, aren’t just ‘nice to have’; they are a legal obligation under GDPR which mandates the need for “regularly testing, assessing and evaluating” cybersecurity processes.

We recommend conducting scenario planning, penetration testing and back-up and recovery drills, as well as fully immersive simulation exercises to test if your crisis response team (people with technical, legal, reputational and social media responsibilities) can communicate and collaborate well under pressure. Realistic rehearsals are needed, rather than lecture-based training, as stress significantly impacts our situational awareness. Such simulation experience may also help senior management appreciate cyber risk and better understand the need for crisis preparedness.  

Crisis management textbooks suggest there’s a ‘golden hour’ after an incident goes public in which you have a chance to save the brand. With most incidents, as the victim of crime, if you act quickly and show empathy for your customers then the press and public should have sympathy for you. Unfortunately, this doesn’t work for cyber incidents as the press and public will blame the company – rather than the hackers – for any loss of personal data. 

Instead, you need to act rapidly, conducting expert forensics to ascertain the nature and scope of any incident. Then use this not only to fix the breach but also to build a legally defensive narrative and a brand defence plan. 

  • Before things go wrong: Seek to change your performance measures to adopt an ROI/ROR balance, and regularly test, assess and evaluate your cybersecurity processes, including your backups. Also, make sure that you have a cyber incident response plan and use realistic simulation exercises to test it. 
  • And if things go wrong: Be prepared for the fact that you’re going to get the blame, and don’t treat a cyber incident like any other crisis; implement a forensically-based legal and reputational response.

Replies (5)

Please login or register to join the discussion.

a
By RichardPulseCyber
26th Jun 2020 10:53

Really good article, interesting however that the focus is on the £18m litigation claim, as opposed to the potential/likely fine from the ICO which could (by rights, under the GDPR) exceed £1bn - based on EasyJet`s annual turnover.

There is more risk to accounting firms (in terms of fines value, reputation damage) from ICO action than there is from legal claims - so this will be a test case very similar in scale to how Ireland`s DPC is under pressure to act this summer (Facebook and Twitter both face DPC fines).

Thanks (0)
avatar
By unclejoe
26th Jun 2020 11:28

The header states £18bn - should be £18m, I think. Edit: apologies - I was looking at previous comment. £18bn correct.

Thanks (0)
avatar
By ColA
26th Jun 2020 11:55

GDPR has improved the lot of those whose data has been harvested, in contrast to the TalkTalk and associates‘ disaster several years ago, under the stewardship of the renowned Dido Harding.
We still ward off scam calls and spurious email spam originating from this period. Derisory recompense at the time amounted to less than £25 over six months with assurances that our custom was valued. Contrast the sum in prospect for EasyJet complainants.
Does corporate management ever learn?

Thanks (0)
avatar
By dgilmour51
26th Jun 2020 12:27

None of this is rationally or systemicly supported by our derisive ICO in any meaningful way.
Any fool can take a misdemeanour arising from a compulsory breach report, and pontificate thereon, but the measurable proaction I see for my annual fee cannot be measured, at least by me.

Banks still get away with stating 'see our 500,000 words of Privacy Policy, deeply wherein you will see they will give your data away to 'trusted companies in our group' or other similar wording - and that after the best part of 4 years knowing GDPR was due or arrived.

I could turn this into a rant - but, as with all this stuff, what's the point.

Thanks (0)
avatar
By AndrewV12
05th Aug 2020 13:12

'which many of us are guilty of. Email, postal address and date of birth can all be used in phishing attacks where cybercriminals pretend to be your bank,'

It always makes me laugh, Local Authorities, HMRC, ..... sell your data on a regular basis, okay they do not sell Bank account details, but they will sell your details on anything else to whoever wants to buy it, data protection act or no data protection act.

Thanks (0)