More thoughts on the Easyjet breach

You can find a link to the initial article here

Over a fortnight on from the public announcement that Easyjet had the details of 9 million customers lost, along with the payment card details of a further 2200, things haven’t been getting much better for the beleaguered airline.

Of immediate priority is that they are now looking at a class-action lawsuit with a headline figure of £18 billion, or £2,000 per person that had their details stolen. Pragmatically the figure that end up being settled on will be much lower, but still significant, both in financial costs and as a distraction at a time where they are trying to survive through the Covid crisis.

It transpires that the attack resulting in the loss of these details ran between October 2019 and January 2020, with those that had their card details stolen notified in early April – an event that somehow missed becomming news at the time. If the ICO were in fact notified in January of the breach, questions have to be asked why they did not force the notification of customers for months afterwards.

Somewhat more troubling is the that this was not a smash and grab attack. While that would still be indefensible, the fact that the attacker could have been in Easyjet’s systems for up to four months, without being detected forces the question to be asked what were their security team doing: Did they not detect the theft? Or did they detect the theft, but wrongly declare it as a false positive? Hopefully more information will be provided in the coming weeks and months about what went wrong at Easyjet allowing this, and other questions to be answered.


Leave a Comment

Your email address will not be published. Required fields are marked *