EasyJet data breach comment from security & data privacy vendors
May 2020 by Experts
Following EasyJet’s announcement of its data breach, please find comment below from cybersecurity and data privacy vendors.
Darren Wray, CTO at UK-based data privacy start-up, Guardum:
“Another major breach of personal information from an airline is not what anyone wants, especially with the current state of the airline industry. The reference to sophisticated hackers is an unusual phrase, which may be rolled out in part as a partial defence as these days there really isn’t any other types of hacker. Companies, no matter how big or small, must assume that sophisticated hackers have them in their targets.
Companies must implement strong processes and procedures to ensure they are only collecting the personal information that they need and ensure that they have a strong and well-tested incident response process. In addition, they must invest in the tools and staff to ensure that personal data is always protected as well as securely deleting or redacting when it is no longer needed
It is really important for CEOs and board members to be asking the questions of their data protection and information security teams to ensure that their businesses are protected, this is particularly important when business processes have had to be changed to deal with the changes in working practises caused by the COVID pandemic.”
Jeremy Hendy, CEO, Skurio
“Customers of EasyJet should be changing security information for web accounts or app usage immediately as a precaution and monitor their bank account for fraudulent activity.
They should also be wary of any correspondence they receive by email or text message. We have seen previously that criminals use these types of incidents to slip phishing attempts under the radar. This is done by recycling contact details from historic breaches and hoping worried customers will let their guard down. With 9 million travel customers affected there could be a significant overlap with previous similar breaches such as British Airways and Marriott Hotels.”
Joseph Carson, chief security scientist, Thycotic comments:
“The Airline industry is not a new target and in previous years cybercriminals have targeted multiple airline customers stealing sensitive data such as identity documents, credit cards details, travel itineraries and frequent travel miles.
The notice of the security incident includes the common terms such as a highly sophisticated source, though this all too often turns out to be overstated and until a proper digital forensics investigation is completed, such statements tend to attempt to downplay responsibility. The statement includes that robust security measures are in place but as always, it only takes one click on a malicious email, a stolen credential or a misconfigured database that allows criminal attackers access to company’s networks.
The main concern is it appears that not all customers have been notified yet which means between now and proper notifications, it is highly likely that their data could be abused unknowingly. This type of notification will also likely mean a large flood of inbound customer support calls that could overwhelm EasyJet’s already stretched support team.
The notice of the security incident could do with improvements but at least it is a good start and easyJet do appear to be following an Incident Response plan. Any sensitive data should be always protected with strong encryption, multifactor authentication and strong privileged access security or reduce the risks from unauthorized access.”