What has happened?
On 19 May 2020, EasyJet confirmed that it was targeted in a highly sophisticated cyber-attack. The airline group said that email addresses and travel details of approximately nine million customers worldwide were accessed, out of which 2,208 customers had their credit and debit card details (including each card’s security code) accessed. EasyJet has also stated that there is no evidence that the compromised customer data has been misused.
EasyJet first became aware of the attack in January, but stated that due to the level of sophistication of the attack, it required time to understand the scope of the attack. EasyJet first informed those customers whose credit card details had been impacted in April.
What does this mean for EasyJet?
The impact of a large-scale data breach of a household name will likely lead Easyjet to suffer reputational damage. Easyjet will be investigated by the ICO and may face investigation by other relevant authorities. It is also facing a potential group litigation claim of up to £18 billion in respect of the breach.
1) Regulatory fine from the Information Commissioner’s Office
Organisations may face fines up to 4 per cent of global turnover or £17m, whichever is higher, from the UK Information Commissioner Office (the 'ICO') for breach of the General Data Protection Regulation ('GDPR') and the Data Protection Act 2018 ('DPA 2018'). Many will remember that the ICO issued its first intention to fine under GDPR and the DPA 2018 in July 2019. British Airways was fined £183.39m after personal information of half a million customers were compromised, and Marriott was fined £99.2m for a breach that exposed approximately 339 million guest records worldwide, of which 30 million relates to individuals in the EEA. The final decisions of both intended fines are yet to be published.
Whilst the ICO has indicated at the beginning of the Covid-19 pandemic that it would take an 'empathetic and proportionate' approach to assessing reported incidents and the airline industry is one of the worst hit industries during the pandemic, the number of customers affected by the EasyJet data breach is significant. Despite the fact that Easyjet claims the attack was sophisticated, penalty notices issued by the ICO in respect of previous fines (including a recent fine levied against Cathay Pacific) indicate that the ICO is likely to assess the level of sophistication of the attack in light of the resource available to the business as well as its compliance practice.
It is also uncertain to what extent the ICO would accept EasyJet’s explanations as to why the incident was not reported earlier, since suspicious activities were noticed back in January. Controllers are required to report a data breach to the ICO within 72 hours of becoming aware of it. The European Data Protection Board (previously Working Party 29) suggested in its guidance that a controller should be considered to have become 'aware' when it has a reasonable degree of certainty that a security incident has led to personal data being compromised.
2) Group litigation from the affected individuals
On 22 May 2020, PGMBM, a UK firm specialised in group litigation, issued a claim form in the London High Court and sought a group litigation order, which will allow PGMBM to conduct the claim on behalf of those affected individuals who decide to 'opt in' during a set period (in contrast of the 'opt out' style representative claims in Lloyd v Google [2019] EWCA Civ 1599, which we previously discussed here). PGMBM claimed that damages for each affected individual can be around £2,000 or more, which will bring the total value of the claim up to £18bn. It has been reported that about 10,000 customers from 50 countries have already joined the claim.
In relation to Lloyd v Google, Google has obtained permission to appeal earlier this year and the Supreme Court judgement is not expected until later this year at the earliest. If Mr Lloyd were successful in his claim, the case may provide some much needed insight into how damages will be assessed in data breach group litigation.
The Covid-19 pandemic has created the prime environment for cyber-attacks and data breaches, with individuals becoming more aware of their data subject rights and specialised firms widely promoting group litigation claims amid large scale data breaches, more group litigation claims are likely to emerge in response to data breaches over the next 12 -24 months.
Preventing and responding to a data breach
Organisations, both small and large, are at risk of sophisticated cyber-attacks, especially during the current pandemic when most organisations will have a proportion of their workforce working remotely. It is always recommended that organisations actively review and constantly improve their information security practice. The National Cyber Security Centre also provides useful guidance on managing security risk, protecting against cyber-attack, detecting cyber security events and minimising the impact of cyber security incidents.
When suspicious activities within the IT system are identified or reported, organisations should bear in mind that the 72-hour reporting window starts when it is reasonably certain that a data breach might have occurred. If for any reason the time limit cannot be met, organisations will need to be prepared to explain the reasons for the delay.
If you would like assistance with your data protection matters and managing data breach risks, please contac David Varney in our Data Protection team.