ICO Drops Investigation Into 2020 EasyJet Hack

Fresh development for the “highly sophisticated” hack of EasyJet in 2020 that saw personal information of 9 million customers accessed.

The Information Commissioner’s Office (ICO) has confirmed to Silicon UK that it has dropped an investigation into the hack that impacted millions of EasyJet customers because its limited resources are better used elsewhere.

In May 2020, as the world battled the early stages of the Covid-19 pandemic, the British budget airline had confirmed in a stock market statement, that it had been the target of a cyberattack “from a highly sophisticated source.”

ICO investigation

The EasyJet hack remains one of the largest data breaches in UK history, after the airline admitted that email addresses and travel details of 9 million people had been accessed.

That did not include passport data, but 2,208 people did have their credit card details stolen.

EasyJet had warned customers at the time to be alert should they receive any unsolicited communications, and said it had notified both the Information Commissioner’s Office (ICO) and GCHQ’s the National Cyber Security Centre (NCSC).

But now the ICO has confirmed it has dropped its probe into the matter.

“All data breaches reported to us are important, given the human impact at the heart of each incident,” an ICO spokesperson told Silicon UK in a statement.

“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” said the spokesperson. “It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organisations.”

“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time,” the spokesperson told Silicon UK.

“We are currently transforming how we prioritise and deliver activity across our wide range of regulatory responsibilities to enable timely and transparent results as we prepare for the forthcoming Data Protection and Digital Information Bill.”

Angry BA?

The decision by the ICO to drop the EasyJet investigation may not please the management at rival airline British Airways.

On 6 September 2018 BA discovered a hack of its systems that had resulted in the data of half a million customers being harvested by attackers as it was entered.

To make matters worse, BA was completely unaware of the hack for two months, as the attack began in June 2018, during the busy summer holiday period.

The ICO investigated and in July 2019 it proposed a fine for British Airways of £183 million.

BA appealed and in October 2020, the ICO settled on a fine of just £20 million, which was still a record amount.

In July 2021 BA confirmed a confidential settlement with those affected by the data leak.

Limited resources

ESET global cybersecurity advisor Jake Moore noted the reality that the stealthy tools used by cyber criminals can sometimes outstrip the resources of law enforcement.

“Cybercrime is notoriously difficult to investigate but the pressure on such huge frauds to investigate them can be immense,” said Moore. “Unfortunately, the stealthy tools available to criminals to help avoid detection often heavily outweigh the resources available to law enforcement in strength and power and therefore cases continue to get dropped.”

“Government regulations can often fall back to rely on a set of fines for such blunders but this can never reflect the true impact to those customers who have had their personal information stolen,” Moore concluded.

Mixed messages

But Jordan Schroeder, managing CISO at Barrier Networks, said the ICO decision could give off mixed messages and it will undoubtedly receive a lot of scrutiny.

That said, it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated.

“Organisations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously,” said Schroeder. “These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”

“In the three years since the EasyJet breach occurred, cyberattacks have grown in scale and frequency,” Schroeder concluded. “Now is not the time for organisations to lower their defences.”

Deeply concerning

But Mike Newman, CEO of My1Login, said the ICO decision to drop the investigation is deeply concerning, and could send a wrong message.

“When the EasyJet breach was first announced over three years ago, it was widely regarded as one of the world’s biggest cyberattacks,” said Newman. “Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud and identity theft. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and it could send out a very wrong message to other organisations.”

“Given the scale of the attack, and the fact that British Airways was hit with a £20 million fine for a much smaller breach, the industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” said Newman.

“Since the EasyJet data breach took place, cybercrime has grown, so organisations should not see this as an opportunity to let down their defences,” Newman cautioned. “When customer data is held, it must be kept secure.”

“With over 80 percent of today’s cyberattacks being executed through stolen credentials, organisations must focus on securing these as a priority,” said Newman. “Phishing is generally a tactic used to steal passwords from employees so criminals can access corporate networks and the data they store. The safest way to remediate this threat is by removing passwords from the hands of the workforce.”