Has EasyJet mishandled customer data? Were they responsible for the recent data breach? Could they have done more to prevent a cyber-attack?

These are all questions being asked, among many others.

With an annual global turnover in the region of £6.4 billion in 2019, the airline company is facing a potentially very heavy fine from the Information Commissioner’s Office (ICO) relating to the breach, under General Data Protection Regulation (GDPR). This will not include compensation payouts to affected customers if negligence on the part of EasyJet is proven, which could reach up to £3 billion.

EasyJet has said the breach was due to a:

“highly sophisticated cyber-attack.”


Around nine million customers have been affected with email addresses and travel itineraries stolen. Furthermore, 2,208 customers who stored their debit and credit card details within their profiles on the EasyJet website, have had them stolen.

Why are we only finding out about this now when EasyJet was first alerted to the attack in January 2020?

Good question.

EasyJet has claimed it was only able to inform those customers whose card details were stolen in early April 2020.

When questioned by the BBC as to why it took so long to notify customers, EasyJet stated,

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”


They added,

“We could only inform customers once the investigation had progressed enough that we were able to identify whether any individuals had been affected. Then, who had been impacted and what information had been accessed.”


It turns out that even the secure CVV digits (the three verification numbers on the back of cards) of those 2,208 customers had been accessed.

EasyJet has warned all affected customers that their email addresses had been stolen during the cyber-attack and has advised them to be aware of potential phishing attempts. No details on the exact nature of the attack have been provided by the airline company, however, it confirmed the investigation is ongoing and believes the attackers were targeting the airline’s intellectual property. It didn’t believe they were stealing data to use in identity fraud. EasyJet maintains its stance that it does not think that any of the nine million customers’ personal data has been misappropriated and has further advised that it has been acting under the recommendations of the ICO.

Until the ICO has completed its investigation, EasyJet faces a more pressing issue. The law firm, PGMBM has issued a class-action claim against the airline which could mean a possible liability of more than £18 billion. PGMBM has filed the claim in the High Court of London on customers’ behalves. One of the reasons for this lawsuit is the fact that it took EasyJet four months to inform customers of the breach, even though it had informed the ICO earlier than this.

The British Airways cyber-attack and subsequent data breach in 2018 should have been a warning to all airline companies. Unfortunately, passenger trust is extremely low during the current crisis and this breach has most certainly not helped that.

The ICO is still investigating the data breach. It said that the general public has a right to expect companies to maintain their personal data in a secure and responsible manner and where that does not occur, it will “take robust action”. Due to the coronavirus pandemic though, they may need to be more lenient in regard to the EasyJet data breach, considering how badly the airline industry has been affected. They must, nevertheless, act adequately because they have been deemed as having not done enough around GDPR enforcement.

What can we learn from the EasyJet fine?

Keeping on top of data protection under the GDPR rules has never been more important. These turbulent times we are experiencing have meant significantly increased cyber-attack attempts and a growing number of cyber criminals with the majority trying to access stored personal information and intellectual property. If your own business does not have data control protocols in place, it is high time to plan and implement them – without delay.

Final thoughts

EasyJet has advised affected customers that they should be weary of any messages claiming to come from either EasyJet Holidays or EasyJet itself. Regrettably, the COVID-19 pandemic has brought with it an increase in the occurrence of phishing attempts and Google is purportedly blocking over 100 million attempts each and every day. This does not include those phishing emails that manage to slip through the net, so the public needs to be more alert than ever to these potential threats.

No doubt, the trust of most airline customers has been significantly affected and organisations will need to work hard in gaining it back. EasyJet, especially, will need to clarify why it took so long to publicly announce the cyber-attack. Yes, it has been working with the ICO to handle the issue, however its customers’ data was still out there, without them knowing, for months. Perhaps the fact that EasyJet has been liaising with the ICO and NCSC will reduce the impending GDPR fines, but still, a cyber-attack occurred and the customers whose personal data was stolen should have been notified sooner in order to take appropriate safeguarding action.