Earlier this month, EasyJet reported a major security breach of their systems where the names, email addresses and travel details of approximately 9 million customers were accessed. More than 2,000 customers’ credit card details were also compromised.
The breach was reported to the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
A law firm has issued a class action claim in the High Court of London which may fetch each affected EasyJet customer up to £2,000 which multiplied by the total number of customers adds up to over £18billion. This does not include legal costs or a possible fine that the ICO may also impose on EasyJet.
Overall, this is a good example how a security breach affecting a large number of customers can result in costs that are well beyond even a large company to absorb. Even if EasyJet have some form of data breach insurance, it is unlikely that this will cover such a huge sum and may well refuse to pay out if EasyJet were negligent or the claim is outside the scope of the insurance.
Preventing breaches is not only essential to manage the risks of the consequential damages, financial and reputational, but also to comply with the law. Under GDPR, company directors can also be personally liable for financial penalties for data breaches. To establish an information security and data protection policy within your organisation or to review or expand an existing policy and process, please do not hesitate to contact Agile Cybersec.