Airlines collect a huge amount of personal data. From names and surnames, to passport and credit card numbers; the data needed to buy a plane ticket is all highly sensitive, and if any of it were stolen, it would cause serious problems for the victim. This is why, when an airline suffers a data breach, it is big news, especially when it is one of the most important airlines in Europe.

EasyJet: A massive data breach

On May 19 this year, EasyJet announced that it had suffered a “massive cyberattack” in which the attackers had accessed the personal data of approximately nine million customers. Among that data that the cybercriminals were able to access were the victims’ email addresses and travel details. What’s more, the attackers also managed to “access” the credit card details of 2,208 customers. The company first learned of this incident in January this year.

When it discovered the breach, EasyJet contacted the UK Information Commissioner’s Office (ICO) to report the incident, as well as the National Cyber Security Centre, the British CERT. As soon as EasyJet discovered the incident, it closed off the unauthorized access to the attackers. For the time being, the company has not revealed any technical details about the incident, and we do not know how the attackers were able to get on to the systems.

EasyJet’s reaction

In a statement, EasyJet explained: “We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature being misused,  However, on the recommendation of the ICO, we are communicating with he approximately nine million customers whose travel details were accessed to advise them of protective steps to minimize any risk of potential phishing.”

John Lundgren, CEO of the company, said that “[we] have robust security measures in place to protect our customers’ personal information.  However, this is an evolving threat as cyberattackers get ever more sophisticated.” He also explained that he is aware that of the increased concern regarding the use of personal data in online scams during the COVID-19 pandemic. He asked EasyJet customers to be vigilant, especially if they receive any suspicious emails supposedly from the company.

The potential fine comes at a very bad time for the company; the current COVID-19 pandemic has forced EasyJet to cancel all of its flights indefinitely.

Airlines and data breaches

EasyJet is by no means the first airline to suffer a data breach. The most famous case was British Airways; the company suffered a data breach in 2018 in which the personal data of some 500,000 clients was stolen in a supply chain attack. As a result of this incident, the ICO proposed a £183 million (€204,110,000) fine under the GDPR, the highest to date.

What can be done to protect against these data breaches?

As the British Airways case illustrates, the financial consequences of breaching the GDPR can be very serious. However, fines are not the only consequence of these incidents. Improper access to clients’ personal data can have serious repercussions on the reputation of any company. What’s more, this loss of reputation also has an impact on the company’s finances.

Nobody wants their company to suffer a data breach, even if it is not as large as EasyJet’s. It is therefore essential to know where the personal data that your company handles is stored, who has access to it, and what they’re doing with it. This is why Panda Adaptive Defense has an additional module, Panda Data Control.

This module discovers and audits all unstructured personal data on your company’s endpoints. It also generates reports and alerts in real time if it detects any unauthorized access to data. This way you can prevent leaks and implement proactive access and operation measures.

Unfortunately, data breaches are a daily fact in the business world. With Panda Data Control, you can be sure that you are not going to be the next victim of this kind of breach.