A look into GDPR and the late Easy Jet Breach

gdpr

A brief description of GDPR

 

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to give control to individuals over their data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of data subjects inside the EEA.

There are several rules and restrictions imposed by GDPR one of these is to ensure that when processing private data, it is done so with integrity and confidentiality in mind, which unfortunately many companies fail to have proper security controls in place to enforce such requirements.

There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.

GDPR was designed to unify data privacy laws across all of its member countries as well as providing greater protection and rights to individuals. GDPR was also created to alter how businesses and other organizations can handle the information of those that interact with them. Unfortunately through poor security practices many companies still fail to comply with GDPR. One example of such is Easy Jet.

More information on GDRP can be found here.

The Easy Jet data breach

On 19th May 2020, EasyJet confirmed that it had been the target of an attack from a highly sophisticated source, with the email addresses and travel details of about 9 million customers breached. Its investigation also found that about 2,200 passengers had their credit card details stolen. The airline said it took immediate steps to respond to and manage the incident. And it claims to take issues of security extremely seriously.

The ICO(Information Commissioner’s Office), which is the United Kingdom equivalent to GDPR after investigation, issued a record £183m fine over the breach. Compensation pay-outs to customers could see that reach £3bn.

Under GDPR (General Data Protection Regulation), if EasyJet is found to have mishandled customer data, it could face fines of up to 4% of its annual worldwide turnover. (256 million pounds).

Unfortunately easy jet is still one of the many companies affected by data breaches. Graph of companies affected by the 30,000+ breach of records.

Conclusion

As hackers became more resourceful and specialized so must companies invest in protecting themselves and their customers, we live in a world where just enough is no longer enough, and upgrading and testing(Internally and externally) a company’s current security controls should always be deemed as a top priority, especially if it handles private information.

By Andre Gomes

Related Articles