Expert Insight: breach of easyJet data

You’ve probably heard about easyJet’s data gaps. More than 9 million customers have been victims of violations of their personal data and around 2,000 customers have been granted access to their card details. Hugo van den Toorn, the offensive security director of Outpost 24, warned that after such a breakthrough information is often sold on underground markets and then used in various attacks: Credit card details for illegal payments and personal data for targeted phishing attacks. Any material damage resulting from this infringement may result in heavy fines from the regulatory authorities and a significant loss of trust between easyJet and its customers. In fact, under OIPC legislation, the Office of the Information Commissioner (OIPC) can impose a fine of 4% of Light Jet’s turnover in 2019, which could reach £255 million.

Johan Lundgren, CEO of easyJet, apologized publicly yesterday, emphasizing the increased risks customers face in a landscape dominated by COVID-19 phishing scams. Since we became aware of this incident, it has become apparent that Covid-19 is concerned about the use of personal information for online fraud. Therefore, on the recommendation of the ICO, we contact clients whose travel information was available and advise them to be particularly vigilant, especially if they receive unsolicited messages.

Niamh Muldoon, senior director trust and security at OneLogin, said easyJet had followed proper procedures, informed the customers involved and publicly alerted the nine million people whose email addresses had been stolen. However, Mr Muldoon asked additional questions about current safety standards: Attackers know that many organizations are not strong enough when it comes to access security. Felix Rosbach, Product Manager at Comfort AG, a data security company, agrees: Organisations processing PII data must take data security seriously. There are proven methods that can reduce the impact of these data leaks. Unfortunately, the easyJet service has not adopted a data-centric approach.

Mr. Rosbach went on to explain how Easy Jet could have prevented this breakthrough: Tokenisation is a good example. In this approach, all elements of confidential data are replaced by tokens. This means that this data is useless to intruders in the event of a data breach. Chris Hauk, the champion of consumer privacy at Pixel Privacy, emphasized that Mr. Rosbach’s assertion that data breaches such as those at EasyJet underline the need for greater corporate security and constant vigilance on the part of consumers to ensure that the same login and password information is not used on multiple websites.

Most of the security experts we’ve spoken to have the same problem as easyJet. In fact, Brian Higgins, security specialist at Comparitech.com, told the IT security guru that easyJet needed a comprehensive incident response plan to tackle the attack. The next few days will show whether this is the case, although the way in which they can reassure their customers that there is no evidence that personal information has been misused is indicative of alarming naivety. Unfortunately, this naiveté will ultimately undermine trust between easyJet and its holiday customers. Robert Ramsden-Board said passengers need to have confidence that airlines will keep their personal information secure when booking tickets with them, but a breach of this magnitude undermines that confidence.

Unfortunately, this offense will lead to a significant number of phishing scams. Mr. Ramsden-Bord said we are likely to see a series of phishing attacks on EasyJet customers in the near future, so all customers should be on the lookout for any suspicious activity.

With this in mind, anyone who has used easyJet in the past should change his or her security settings and update his or her account with a unique password to avoid further personal damage.