What the EasyJet Data Breach Means for Your Business

What the EasyJet Data Breach Means for Your Business

In May 2020, UK airline EasyJet announced that the personal data of over 9 million of its customers had been breached in a cyberattack.

The airline could face massive financial and reputational consequences, including a multi-billion dollar lawsuit and a possible administrative fine under the EU General Data Protection Regulation (GDPR).

This article will look at what happened, the possible impact on EasyJet, and what the GDPR says about avoiding and reporting data breaches.


EasyJet Data Breach

Here's what we know so far about the EasyJet data breach and its consequences.

What Happened?

Between October 17, 2019, and March 4, 2020, a "highly sophisticated attacker" exfiltrated over 9 million EasyJet customers' records. The compromised data included email addresses, travel information, and, in some cases, payment card information.

EasyJet put out a statement on May 19, 2020, apologizing to its customers. It said it would individually notify every affected customer by May 26.

The hackers' identities, techniques, and motives remain unknown.

What Penalties Does EasyJet Face?

What Penalties Does EasyJet Face?

It's hard to predict what penalties might be imposed on EasyJet as a result of this incident. However, given the scale of the breach, EasyJet could face a substantial fine.

In July 2019, the UK's Data Protection Authority (DPA), the Information Commissioner's Office (ICO), announced its intention to fine British Airways, another UK airline, for £183.39 million (approximately $236.35 million). The British Airways data breach involved just 500,000 individuals.

So what sort of a fine awaits EasyJet? Let's look at the two classes of "administrative fines" under the GDPR.

Under Article 83 (3), a data controller or processor can be subject to a fine of up to:

  • €10 million (approximately $11.8 million USD)
  • 2 percent of annual worldwide turnover

"Article 83 (3)" fines are the smaller of the two classes of fine and can be imposed for breaching most parts of the GDPR, including the failure to implement proper data protection and cybersecurity measures.

Heavier fines are available under Article 83 (3), whereby a data controller or processor can be liable for up to:

  • €20 million (approximately $23.6 million)
  • 4 percent of annual worldwide turnover

Article 83 (4) fines are reserved for more serious violations of the GDPR, including:

If EasyJet violated Article 32 of the GDPR, by failing to implement appropriate data security measures, this is most likely to result in an "Article 83 (3)" fine.

However, if it is determined that EasyJet violated the GDPR's principle of "confidentiality and integrity," a larger, "Article 84 (4)" fine is possible.

Whichever type of fine EasyJet received (if any), it is unlikely that EasyJet will receive the very largest fine available.

Article 83 (2) GDPR sets out the factors relevant to determining how large a fine should be:

Intersoft Consulting: GDPR Article 83 Section 2: General Conditions for Imposing Administrative Fines

In the event of a data breach, several factors determine the size of a fine, including:

  • The scale of a breach
  • The sensitivity of the personal data involved
  • Whether the affected organization was negligent
  • How closely the affected organization cooperated with the DPA
  • What steps the organization took to contain the breach

How Damaging Could the EasyJet Lawsuit Be?

Legal firm PGMBM is taking forward a "representative claim" (class action) to the English High Court. The firm says that claimants could receive "up to $2000 or €2000 in certain cases." On this basis, the total damages could be up to €19 billion (approximately $22.4 billion).

The case is proceeding under the UK's Data Protection Act 2018, which incorporates the GDPR, and English civil law ("the torts of misuse of private information/breach of confidence," according to PGMBM).

It is very hard to say whether the case will succeed. The English legal system has not recognized many "class action"-style lawsuits.

Article 82 of the GDPR grants a "right to compensation and liability," whereby "any person who has suffered material or non-material damage as a result of an infringement" can receive compensation (damages) from a data controller.

Despite some very large administrative fines, there have been few examples of successful legal claims under the GDPR. But either way, being subject to a multi-billion dollar lawsuit is something that any business will want to avoid.

Keeping Personal Data Secure

Keeping Personal Data Secure

It is unclear how much responsibility EasyJet bears for this data breach, and whether it took all reasonable steps to secure its customers' personal data.

Article 32 of the GDPR requires data controllers and processors to keep personal data secure:

GDPR Article 32: Section 1: Security of processing

The above excerpt is quite general, and the only specific measure suggested is "the pseudonymization and encryption of personal data."

Other measures to protect personal data include:

There is no suggestion that EasyJet failed to implement these sorts of measures. However, the extent of any penalty or damages will be partly determined by how well EasyJet secured its customers' personal data.

To avoid suffering the same issues as EasyJet, you must take every reasonable step to secure your customers' personal data. For more information, see our article Protecting Personal Data in Your Business.

Reporting a Data Breach

Reporting a Data Breach

The GDPR provides a procedure for reporting a suspected or actual data breach. Let's take a look at this procedure and whether EasyJet appears to have followed it.

Notifying the Data Protection Authority

By reporting its data breach to the UK's DPA, EasyJet was following Article 33 of the GDPR:

EUR-Lex: GDPR Article 33 section 1 - Notification of a personal data breach to the supervisory authority

Under the GDPR, it's not necessary to report every data breach.

Article 33 states a data controller must notify its DPA about a breach unless "is unlikely to result in a risk to the rights and freedoms of natural persons." "Natural persons" means any individual, not just the data subjects whose personal data was breached.

Data processors who suffer a breach must inform their data controller.

So how do you know whether a data breach is serious enough to report to the DPA? What is a "risk to the rights and freedoms of natural persons"? Recital 85 provides some insight:

EUR-Lex: GDPR Recital 85

The above excerpt provides the following examples of incidents that might trigger data breach notification:

  • Loss of control over personal data
  • Limitation of data rights
  • Discrimination
  • Identity theft
  • Fraud
  • Financial loss
  • The revealing of a person's identity
  • Reputational damage
  • Loss of confidentiality of data guarded by professional secrecy

EasyJet's data breach involved the following types of personal data:

  • Email addresses
  • Travel details (i.e. information about flight bookings)
  • Credit card details (of 2,208 customers)

Due to the risks of identity theft and financial loss, it was clearly necessary for EasyJet to report its data breach to the ICO.

If you are in any doubt as to whether you need to report a data breach, we recommend that you report it.

If you decide not to report a data breach to your DPA, you must still record the incident and to detail your assessment, in case you have to justify this decision at a later date.

How Soon Should You Notify Your DPA?

According to Article 33, you must notify your DPA "without undue delay and, where feasible, not later than 72 hours after having become aware of it."

If you are unable, for whatever reason, to report a data breach to your DPA within 72 hours, you must explain the reasons for your delay.

Unnecessarily delaying notification would be considered a very serious breach of the GDPR, and could make any penalties imposed due to your data breach more severe.

What Information Should You Provide to Your DPA?

Article 33 (3) sets out what you need to tell your DPA:

EUR-Lex: GDPR Article 33 section 3 - Notification of a personal data breach to the supervisory authority

In summary, your data breach notification to the DPA must include information about:

  • What types of individuals were affected by the breach (e.g., your customers)
  • Approximately how many individuals and/or records were affected
  • Contact details for your organization (your Data Protection Officer, if you have one)
  • The likely consequences of the breach
  • What you have done, or propose to do, to contain the breach and mitigate its effects

If your notification is late, you must also explain why.

Notifying Data Subjects

Notifying Data Subjects

Article 34 of the GDPR requires controllers to notify the data subjects that have been affected by a data breach, as well as the DPA. This rule only applies under certain conditions:

EUR-Lex: GDPR Article 34 section 1 - Communication of a personal data breach to the data subject

"Data subjects" are individuals to whom personal data relates. In the case of the EasyJet breach, this means EasyJet's customers.

Article 34 states that controllers must notify data subjects about a breach if it "is likely to result in a high risk to rights and freedoms of natural persons." The distinction between Article 33 and Article 34, in this regard" is the word "high."

The ICO provides an example of where notification to data subjects must occur:

ICO Personal Data Breaches: Example of when notification to data subjects is required

In the above example, the ICO considers the nature of the personal data and the consequences of the data breach.

In the EasyJet case, the nature of the personal data involved is relatively sensitive, including financial and travel data. However, it appears that no "special category" (sensitive) personal data was breached.

The consequences of the data breach appear to have been significant. Initially, EasyJet said there was no evidence that the data had been misused. However, UK police agency Action Fraud reported in June that £11,752.81 in losses had been reported.

On balance, the EasyJet case certainly appears to have met the threshold for data subject notification.

Article 34 provides three reasons why a controller might not need to notify data subjects:

EUR-Lex: GDPR Article 34 section 3 - Communication of a personal data breach to the data subject

A controller may not need to notify data subjects if:

  1. The personal data was protected in a way that would render is unintelligible (e.g. it was encrypted)
  2. The controller has managed to contain the breach and there is no longer any risk
  3. It would involve disproportionate effort, in which case the controller can make a "public communication"

The threshold for the "disproportionate effort" exception appears to be very high. Even though the EasyJet case involved around 9 million data subjects, EasyJet was still required to notify them individually in addition to making a "public communication."

How Soon Should You Notify Data Subjects About a Breach?

How Soon Should You Notify Data Subjects About a Breach?

Note that the GDPR requires notification to be given to data subjects "without undue delay." EasyJet reportedly became aware of the breach in January 2020, but it did not notify data subjects until May 19, 2020.

So, what's behind this delay? Does the GDPR cite any acceptable reasons to delay notification of data subjects for two months? Will this cause a problem for EasyJet?

Regarding the reason for delaying notification of its customers about the breach, an EasyJet spokesperson told the BBC:

"We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed."

If EasyJet did not know the identities of the affected customers until May, then it may be reasonable that it did not notify the data subjects earlier.

Note that certain data breach laws, such as the New York Shield Act, require a business to publicize a data breach on its website and via broadcast media channels whether or not the affected individuals' identities are known.

The GDPR does not require controllers to publicize data breaches in this way. However, the controller can make "a public communication or similar measure" if "it would involve disproportionate effort" to notify individual data subjects. It's not clear why EasyJet did not do this in early January.

Most importantly, EasyJet did notify the ICO in a timely way, and the regulator has apparently guided the company throughout its breach response.

Article 34 (4) states that Data Protection Authorities may take decisions about notifying data subjects of a breach:

EUR-Lex: GDPR Article 34 section 4 - Communication of a personal data breach to the data subject

Also, note that Recital 86 states that controllers should work in close co-operation with the DPA when notifying data subjects about a breach, and should respect the DPA's guidance:

EUR-Lex: GDPR Recital 86: Communications made reasonably feasible section highlighted

In addition to the reasons for delaying notification to data subjects discussed above, Recital 86 gives another reason why it may be justifiable to delay notifying data subjects:

EUR-Lex: GDPR Recital 86: Need to implement appropriate measures section highlighted

The above excerpt effectively states that you may prioritize containing a data breach over notifying data subjects.

Furthermore, Recital 88 provides another potential reason for delaying notification to data subjects:

EUR-Lex: GDPR Recital 88

The above excerpt states that you may need to delay notifying data subjects about a data breach if notifying them earlier would hamper a legal investigation into the data breach.

What Information Should You Provide to Data Subjects?

Article 34 states that your notification to data subjects must state, in "clear and plain language":

  • The nature of the data breach
  • Contact details for your organization (your Data Protection Officer, if you have one)
  • The likely consequences of the breach
  • What you have done, or propose to do, to contain the breach and mitigate its effects

You should also inform data subjects of any steps they can take to mitigate the impact of the breach, for example:

  • Changing account passwords
  • Cancelling credit cards
  • Being wary of phishing emails
  • Checking their credit card statements and credit reports

For more information, see our article GDPR Data Breach Notice Letter.

Summary

The extent of the damage to EasyJet remains unknown. It may face a significant administrative fine and have to pay substantial damages to its customers.

However, even if the issue were resolved tomorrow, the airline has already spent time and resources trying to mitigate the impact of its data breach and protect its reputation.

The case serves as an important reminder for your business to be proactive in its GDPR-compliance efforts:

  • Take every reasonable step to protect all the personal data your business handles
  • Report all data breaches to your DPA unless you are sure you don't need to
  • Cooperate fully with your DPA, including by notifying the affected data subjects, if required
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.