FacebookTwitterRedditEmail

Patterns of Compromise: The EasyJet Data Breach

It has been a withering time for the airlines, whose unused planes moulder in a gruelling waiting game of survival. The receivers are smacking their lips; administration has become a reality for many. Governments across the globe dispute what measures to ease in response to the coronavirus pandemic; travel has been largely suspended; and the hope is that some viable form will resume at some point soon.

For the low-cost airline EasyJet, a further problem has presented itself. Earlier in the week, the company revealed that it had “been the target of an attack from a highly sophisticated source”, resulting in a data breach affecting nine million customers. Of those, 2,208 customers (“a very small subset”, as the company wished to emphasise) had had their credit and debit card details “accessed”.

The UK’s Information Commissioner’s Office had been informed about the incident but the company only revealed this catastrophic lapse in data security to individuals, as it told the BBC, “once the investigation had progressed enough that we were able to identify whether any individuals had been affected, then who had been impacted and what information had been accessed.”

EasyJet were also quick to douse the fires of this grim chapter in data insecurity. “There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.”

This phishing risk entails that opening any suspicious email purporting to be from EasyJet is simply a risk not worth taking. Naturally, the company will have to inform, and have informed customers of that very risk, resulting in a peculiar circularity: Who to believe and what enables the recipient to detect the suspicious? As digital privacy expert Ray Walsh opines, “Anybody who has ever purchased an EasyJet flight is advised to be extremely wary when opening emails from now on.”

For the company’s part, customers whose credit card details were compromised have received an email with a unique code, ostensibly to access services provided by a third party. A call centre to deal with concerns arising from the hack has also been established, though service on that has been typically sloppy.

Airline companies have a rather patchy record in the field of data security. In the cybersecurity department, they seem to be rather thin, a failing that matches a global tendency. (A 2018 report suggested a shortage of some 2.93 million.) The implications to both airline companies and aviation infrastructure have been of such magnitude as to prompt warnings that it is merely a matter of time before aircraft are themselves the subject of cyber-attack.

The honour board on compromised customer data is a long one. Cathay Pacific Airways experienced an attack on the scale of that of EasyJet, with a hacker accessing the personal information of 9.4 million customers over a four-year period. This was also a case that interested the ICO, resulting in a pre-General Data Protection Regulation fine of £500,000. The ICO investigation revealed that the airline lacked adequate security controls to ensure the integrity of passenger data within internal IT systems. This “resulted in the unauthorised access” to “passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.”

Cathay Pacific’s systems were penetrated via an internet server enabling the installation of data harvesting malware. It did not help that the data storage regime in place was weak and complacent. Back-up files were not password protected; internet-facing serves were unpatched; the presence of inadequate and outdated anti-virus protection software was noted.

British Airways was less fortunate in being fined £183 million in 2019 by the ICO, armed with the more punitive powers of the GDPR, for failing to take adequate steps in protecting the personal information of some 380,000 customers. The 2018 compromise of data took place through bookings made on its website (ba.com) and the British Airways mobile app over the course of a 15 day period. As with EasyJet, the company adopted a strategy of understating the effect of it all. Yes, personal details had been stolen, including the names, addresses and financial information of customers, but those cheeky hackers did not make away with passport or travel details. And, before anybody should get too excited, the cyber incident was, according to a spokesperson for British Airways, “data theft, rather than a breach”.

None of this impressed the Information Commissioner Elizabeth Denham. “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

Not to be left out, Air Canada also confirmed a data breach on its mobile app in August 2018, though the scale was a more modest 20,000 individuals. One defective feature of the airline’s operating systems stood out: a mediocre password policy accepting only letters and numbers.

Such patterns of compromise are all too common in the commercial aviation industry, but EasyJet’s Chief Executive Officer Johan Lungren claims to be wiser after the fact. “Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.” Pressed by the ICO, “we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant particularly if they receive unsolicited communications.” A fine of some magnitude is expected.

More articles by:

Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: bkampmark@gmail.com

Weekend Edition
July 10, 2020
Friday - Sunday
Lynnette Grey Bull
Trump’s Postcard to America From the Shrine of Hypocrisy
Anthony DiMaggio
Free Speech Fantasies: the Harper’s Letter and the Myth of American Liberalism
Rob Urie
Democracy and the Illusion of Choice
Jeffrey St. Clair
“I Could Live With That”: How the CIA Made Afghanistan Safe for the Opium Trade
Vijay Prashad
The U.S. and UK are a Wrecking Ball Crew Against the Pillars of Internationalism
Melvin Goodman
The Washington Post and Its Cold War Drums
Richard C. Gross
Trump: Reopen Schools (or Else)
Chris Krupp
Public Lands Under Widespread Attack During Pandemic 
Paul Street
Imperial Blind Spots and a Question for Obama
Alda Facio
What Coronavirus Teaches Us About Inequality, Discrimination and the Importance of Caring
Eve Ottenberg
Bounty Tales
Andrew Levine
Silver Linings Ahead?
John Kendall Hawkins
FrankenBob: The Self-Made Dylan
Pam Martens - Russ Martens
Deutsche Bank Fined $150 Million for Enabling Jeffrey Epstein; Where’s the Fine Against JPMorgan Chase?
David Rosen
Inequality and the End of the American Dream
Louis Proyect
Harper’s and the Great Cancel Culture Panic
Thom Hartmann
How Billionaires Get Away With Their Big Con
REZA FIYOUZAT
Your 19th COVID Breakdown
Danny Sjursen
Undercover Patriots: Trump, Tulsa, and the Rise of Military Dissent
Charles McKelvey
The Limitations of the New Antiracist Movement
Binoy Kampmark
Netanyahu’s Annexation Drive
Joseph G. Ramsey
An Empire in Points
Kollibri terre Sonnenblume
COVID-19 Denialism is Rooted in the Settler Colonial Mindset
Ramzy Baroud
On Israel’s Bizarre Definitions: The West Bank is Already Annexed
Judith Deutsch
Handling Emergency: A Tale of Two Males
Michael Welton
Getting Back to Socialist Principles: Honneth’s Recipe
Dean Baker
Combating the Political Power of the Rich: Wealth Taxes and Seattle Election Vouchers
Jonah Raskin
Edward Sanders: Poetic Pacifist Up Next
Manuel García, Jr.
Carbon Dioxide Uptake by Vegetation After Emissions Shutoff “Now”
Heidi Peltier
The Camo Economy: How Military Contracting Hides Human Costs and Increases Inequality
Ron Jacobs
Strike!, Fifty Years and Counting
Ellen Taylor
The Dark Side of Science: Shooting Barred Owls as Scapegoats for the Ravages of Big Timber
Sarah Anderson
Shrink Wall Street to Guarantee Good Jobs
Graham Peebles
Prison: Therapeutic Centers Or Academies of Crime?
Zhivko Illeieff
Can We Escape Our Addiction to Social Media?
Clark T. Scott
The Democrat’s Normal Keeps Their (Supposed) Enemies Closer and Closer
Steve Early - Suzanne Gordon
In 2020 Elections: Will Real-Life “Fighting Dems” Prove Irresistible?
Dave Lindorff
Mommy, Where Do Peace Activists Come From?
Christopher Brauchli
Trump the Orator
Gary Leupp
Columbus and the Beginning of the American Way of Life: A Message to Indoctrinate Our Children
John Stanton
Donald J. Trump, Stone Cold Racist
Nicky Reid
The Stonewall Blues (Still Dreaming of a Queer Nation)
Stephen Cooper
A Kingston Reasoning with Legendary Guitarist Earl “Chinna” Smith (The Interview: Part 2)
Hugh Iglarsh
COVID-19’s Coming to Town
July 09, 2020
Richard D. Wolff
COVID-19 Exposes the Weakness of a Major Theory Used to Justify Capitalism
FacebookTwitterRedditEmail