Expert Insight: easyJet data breach

By now I’m sure that you have heard about the easyJet data breach. More than 9 million customers suffered breached personally identifiable information (PII), and some 2,000 customers had their card details “viewed”. Hugo van den Toorn, manager of offensive security at Outpost 24 warned that “often after such a breach, information will be sold on to underground marketplaces, this kind of data is then often used in various attacks: Credit card details for making illicit payments and personal details for targeted phishing attacks”. The significant damages following this breach will most likely result in hefty regulatory fines and substantial loss of trust between easyJet and its customers. In fact, Under GDPR legislation, the Information Commissioner’s Office (ICO) can impose a fine of 4 per cent of easyJet’s turnover in 2019, which could amount to £255m.

Johan Lundgren, CEO of easyJet issued a public apology yesterday, highlighting the increased risk that customers face in a landscape dominated by COVID-19 themed phishing scams. “Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

Niamh Muldoon, senior director of trust and security at OneLogin noted that “easyJet have followed correct procedures by notifying the customers who were affected and publicly warning the nine million people whose email addresses had been stolen”. However, Muldoon raised further issues with current security standards, stating: “attackers know that many organisations are not taking a strong enough stance when it comes to access security.” This is a thought that is echoed by Felix Rosbach, product manager at data-security specialists comforte AG, who said “Organisations that process PII data need to take a serious approach to data-centric security. There are proven methods available which can reduce the impact of such data breaches”. Unfortunately, easyJet did not display a data-centric mindset.

Rosbach continued to explain how easyJet could have avoided this breach: “Tokenization is a great example. With such an approach, all sensitive data elements get replaced by tokens. That means that in the case of a data breach, the data is worthless for attackers”. Chris Hauk, consumer privacy champion at Pixel Privacy emphasised Rosbach’s assertion stating that “”Data breaches like the EasyJet breach underscore the need for increased security on the part of corporations, as well as constant vigilance on the part of consumers who must work to ensure they are not using the same login and password information on multiple websites.”

The majority of security professionals that we spoke to have the same issue with the easyJet breach. Indeed, Brian Higgins, security specialist, told the IT Security Guru that “easyJet should have a comprehensive incident response plan to deal with this attack. The coming days will show us if that is the case, although how they can assure their customers that ‘there is no evidence that any personal information of any nature has been misused’ shows a worrying naivety.” Unfortunately, this naivety will end up damaging the trust between easyJet and their holiday-going customer base. Robert Ramsden-Board stated that “Passengers have to trust that airlines are securing their Personal Identifiable Information when they book with them, but a breach of this magnitude breaks that trust.”

Unfortunately, this breach will result in a significant number of phishing scams. As Ramsden-Board stated, “we will most likely see a series of phishing attacks targeting EasyJet customers in the near future, so all customers should be on the alert for suspicious activity.”

With this in mind, anyone that has used easyJet in the past should be sure to change their security preferences and update your credentials to a unique password to prevent any further personal damage.