easyJet problems grow as customer data hacked
Nothing illustrates the plight of the airline sector better than easyJet’s torrid May, which included an acrimonious AGM, a planned 30% cut in staff numbers and a potentially expensive data breach.
Amid the corporate dramas, it might be easy to overlook the data breach, unless you happen to be one of the 9m customers whose itineraries and personal data were allegedly stolen between October 2019 and January 2020.
Under questioning from the press after announcing the breach to the stock market on 19 May, easyJet said passwords and credit card details were not compromised, though it did admit that 2,208 card details were lifted from online accounts.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications,” the company said. “We would like to apologise to those customers who have been affected by this incident.”
An ICO Tweet on 19 May confirmed it was investigating the incident.
A sequence of airline breaches
This is the third major data breach recorded for airlines in the UK in recent years following even bigger incidents that resulted in a £183m fine for British Airways and a £500,000 penalty for Cathay Pacific.
In the Cathay Pacific case, the airline’s failure to secure its systems resulted in unauthorised access to passenger personal information including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
More than 111,000 of the 9.4m compromised records related to UK customers.
easyJet now faces a similar claim for £18bn from the same firm and may need to consider provisioning for potential ICO penalties alongside some of the other exceptional costs that may be hitting its accounts over the next year or two.
The law firm estimates that each affected person may be able to claim up to £2,000 in compensation, without having to provide evidence of loss, under article 82 of EU General Data Protection Regulation (EU-GDPR).
Plans to cut 4,500 jobs
After resisting an attempted coup by airline founder Stelios Haji-Ioannou at its virtual AGM on 22 May, easyJet brought forward plans to cut up to 4,500 jobs – nearly a third of its workforce - as a result of the air travel slowdown due to Covid-19.
On 28 May easyJet CEO Johan Lundgren commented: “Although we will restart flying on 15 June, we expect demand to build slowly, only returning to 2019 levels in about three years’ time.”
With cuts in the size of its fleet (opposed by Stelios-Ionnou) and the 30% cut in staff numbers, Lundgren vowed to continue looking to remove non-critical expenditure at every level to “ensure that we emerge from the pandemic an even more competitive business than before”.
Shares take off
Weirdly, share prices for easyJet have risen since March, when UBS analysts upgraded from “sell” to “buy” after the price had dropped 33% since the start of the year.
The Swiss bank noted that volumes, pricing and margins were under pressure thanks to the coronavirus, but expected the impacts to play out during the current financial year.
After the AGM, investors appeared to agree with the airline’s redundancy plans and travel share prices started climbing on news that lockdown restrictions could be lifted. easyJet was one of the biggest gainers, rising more than 30% in value since it announced the data breach on 19 May.