, , , ,

EasyJet data breach victims reporting financial losses

According to Action Fraud – the UK’s national reporting centre for fraud and cybercrime  as of last month there were 51 reports in relation to the EasyJet data breach, with a total of  £11,752.81 in stated lossesOne customer lost £2,750 following the cyberattack.  

That’s despite the airline claiming that there was no evidence of any financial damage caused by the incident. The Action Fraud stats were shared recently.   

Action Fraud has warned those involved in the EasyJet data breach to be vigilant 

Action Fraud has provided advice and guidance if you think you have been affected. A statement on its website says:  

Action Fraud has been made aware by the National Cyber Security Centre of the cyber breach affecting EasyJet customers. We’re currently monitoring our system for EasyJet related reports to see if there has been a significant increase.

At this time we’re advising the public that if they think they’ve been a victim of fraud as a result of a data breach, to report it Action Fraud via the online reporting tool or by calling 0300 123 2040.

Here is what to do if you think you have been affected:

    • Phishing – Criminals may use your personal details to target you with convincing emails, texts and calls. Be suspicious of unsolicited requests for your personal or financial details. If you receive an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS): report@phishing.gov.uk.
    • Financial details – If your financial data was compromised, be vigilant against any unusual activity in your bank accounts or suspicious phone calls and emails asking for further information. If you notice any unauthorised transactions, notify your bank or card company.  
    • Passwords –Customers should ensure their passwords are secure. If you have been affected, you may want to consider changing passwords for key accounts such as banking. See Cyber Aware’s advice on creating a good password that you can remember, or read the NCSC’s blog post for help on using a password manager.
    • Report - If you think you have been a victim of fraud or cybercrime, report it to us. 

Our data protection solicitors are also warning people about the risks, with advice on what to do to protect yourself. You can read our guidance here 

Crucially, the effects of a data hack might not be immediately apparent, as stolen data is often used in batches over time. So, even if you have not yet suffered a loss, this doesn’t mean you are safe. You must take steps to protect yourself if you were involved in the EasyJet data breach.  

Make an EasyJet compensation claim

In addition to implementing the suggested security steps, if EasyJet has failed to uphold your data security rights, you should also consider making a compensation claim. 

At Hayes Connor Solicitors, we are watching this case with interest, and, if it transpires that EasyJet has failed to protect its customers, we will launch a no-win, no-fee group litigation action. Group actions can be a powerful tool and can have a bigger impact than a single claim.

We have already been contacted by people concerned that their data has been breached by EasyJetmanywho are understandably upset and anxious about the breach.

To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen. 

If you were a part of this breach you should have been contacted by EasyJet by 26th May 2020.Everyone who received this confirmation can make a data breach claim with Hayes Connor Solicitors.

There are no costs to register and no obligation to proceed. 

REGISTER NOW

, , , ,

Where to get help following the EasyJet data hack

Following a data breach at budget airline EasyJet, the personal details of nine million people have been accessed and 2,208 individuals have also had their credit card details stolen. Since the EasyJet data hack, Hayes Connor has been contacted by many customers, many of whom are upset and anxious about the breach.

The emotional impact of a data breach can be significant

The impact of data breaches goes much further than financial losses. Many victims experience stress, anxiety and distress. Following a robbery, people often feel shock, anger, fear, helplessness and panic, and a personal data breach is a 21st-century version of being burgled.

Furthermore, the psychological effects of a data hack might not be immediately apparent. Knowing that your information has been “burgled”, living with the increased risk and the extra vigilance needed can all cause distress to victims over time.

Thankfully, over the last few years, people are waking up to the reality of mental health and there is a greater awareness about the lasting effects of physiological suffering and anguish. However, following the EasyJet data breach, victims must keep an eye on their emotional wellbeing to ensure that their mental health doesn’t suffer.

To help, our data protection solicitors have listed some helpful links to ensure victims of the EasyJet data breach know where they can turn.

Help & support for people following the EasyJet data breach


Information Commissioner’s Office

The Information Commissioner’s Office (ICO) protects the data privacy rights of individuals. While the ICO does not award compensation, it does have the power to impose hefty fines on organisations in breach of their duties. You have the right to ask the ICO to assess if an organisation breached the Data Protection Act. At Hayes Connor Solicitors we often work with the ICO to gather as much evidence as possible to help our clients succeed. The ICO has also provided advice on its website on how victims of the EasyJet breach can spot phishing scams.

www.ico.org.uk


Victim Support

Victim Support is the leading independent victim’s charity in England and Wales for people affected by crime and traumatic incidents. Last year it offered support to nearly a million victims across the UK.

www.victimsupport.org.uk


Samaritans

The Samaritans are a group of passionate volunteers working together to make sure fewer people die by suicide. If you are struggling emotionally after a data breach, they can help. You can call them free from any phone.

https://www.samaritans.org/


Mind

The Mind Community Support Service provides advice, information, onward referral and holistic support to people who are experiencing mental ill-health and drug/alcohol difficulties (which could be exacerbated following the EasyJet hack). The service can also provide support to people who have been a victim of crime.

https://www.mind.org.uk/


Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety. It contains lots of helpful guidance to protect you and your data from the threat of fraud, identity theft and abuse.

www.getsafeonline.org


Take Five to Stop Fraud

Take Five offers straight-forward and impartial advice to help everyone in the UK protect themselves against financial fraud. Following the EasyJet data breach, cybercriminals might use contact information to try and extract financial data from victims.

www.takefive-stopfraud.org.uk


Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cybercrime. Victims of online offences such as scams and financial/identity fraud following the EasyJet data hack should contact Action Fraud to report their loss. You can do this online or via telephone. Victims of data breaches do sometimes become the targets of criminals, so it’s important that anyone affected by the EasyJet data breach is vigilant.

www.actionfraud.police.uk


How can Hayes Connor help you after the EasyJet data hack?

At Hayes Connor, we are now registering victims of this breach to a no-win, no-fee group litigation action against the airline. Group actions can be a powerful tool and can have a bigger impact than a single claim.

The law understands the damage that can be caused by worry and upset. So today, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

FIND OUT MORE ABOUT OUR EASYJET DATA BREACH GROUP ACTION

To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.

There are no costs to register and no obligation to proceed.

REGISTER NOW


, , , ,

Is EasyJet deliberately downplaying the impact of its data breach?

EasyJet hit the headlines when it was revealed that the email addresses and travel details of nine million people and the financial details of 2,208 customers had been breached. But at Hayes Connor, we’re not convinced that the budget airline comprehends how significant this breach is. Or, if it does, it certainly isn’t owning up to it.

EasyJet claims there is no evidence that any personal information has been misused

In a statement admitting to the EasyJet data breach, the company said that “there is no evidence that any personal information of any nature has been misused”. But it can’t possibly know what the impact of this hack will be. Just because it doesn’t look like the data has been misused yet, doesn’t mean that it won’t be.

According to an article in The Independent, personal information “drives a higher price on the dark web” and “could be used for organised crime or ransomed”. Another article claims that “Airlines hold valuable personal information [that] could all be used by criminal organisations to commit identity fraud or further phishing campaigns as part of a larger operation”. Furthermore, most cybersecurity experts agree that it is too soon to say what has and will happen with EasyJet’s hacked customer data.

Certainly, we would advise anyone involved to beware of the following risks:

  • The risk of phishing. Victims of the EasyJet data hack could be targeted by phishing scammers. Phishing occurs when a cybercriminal poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information. In particular, EasyJet is advising customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays
  • The risk of financial fraud/theft. Over 2,200 customers had their credit card details accessed in the EasyJet data hack. With enough financial information, cybercriminals can set up fraudulent bank accounts and access your existing accounts. They can also make payments using your data, and even apply for credit/loans
  • The risk of COVID-19 scams. Hackers will likely try to take advantage of people who are cancelling flights because of the pandemic. What’s more, people are more susceptible to scans when they are already anxious, and the combination of being hacked and coping with the pandemic is likely to cause additional stress. So you must be on your guard.

EasyJet isn’t acknowledging the potential emotional impact of the data breach

On its website, EasyJet says that it won’t be paying compensation to most customers. It states that:

“Apart from the very small subset of customers who we have already notified, no credit card details have been impacted.  We therefore do not expect there to be any financial loss caused by this incident.  We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications”.

This statement proves that EasyJet is not taking responsibility for its failure to protect personal customer information.

The impact of the EasyJet data breach is likely to go much further than financial losses. And, EasyJet does the nine million customers who haven’t had their financial data stolen a disservice to assume otherwise.

A personal data breach is a 21st-century version of being burgled. And, following a robbery, people often feel shock, anger, fear, helplessness and panic. Some will go on to suffer from psychological problems, and existing conditions are often exacerbated.

Renowned clinical psychologist Professor Hugh C. H. Koch is an expert on the typical psychological effects experienced by victims of data breaches. He told us:

“Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.”

Thankfully, over the last few years, people are waking up to the reality of mental health and there is a greater awareness about the lasting effects of physiological suffering and anguish. What’s more, the law recognises the emotional damage that can be caused by a data protection failure, so EasyJet shouldn’t be allowed to get away with it.

EasyJet took months to let customers know they were at risk

EasyJet knew about the hack as far back as January. So why did the airline take four months to warn customers that hackers had their personal information? Especially as, under the General Data Protection Regulation (GDPR), if a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”, organisations inform those individuals without undue delay.  Even customers who had their credit card details stolen in this hack were not told until early April.

 


Do you want to hold EasyJet to account?

At Hayes Connor, we have been contacted by people concerned that EasyJet has breached their data; many of whom are understandably upset and anxious about the breach.  In response, we are now registering victims of this breach to a no-win, no-fee group action.

FIND OUT MORE ABOUT OUR EASYJET DATA BREACH GROUP ACTION

To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.

There are no costs to register and no obligation to proceed.

REGISTER NOW


, , , ,

Know the risks & stay safe following the EasyJet data hack

Highly sophisticated hackers have successfully carried out a cyber-attack on the discount airline. The breached information includes the email addresses and travel details of nine million people and the financial details of 2,208 customers. All passengers involved in the EasyJet data hack will be contacted by 26th May at the latest (anyone who has had their financial data compromised has already been told).

If you are informed that your information has been breached, it’s essential that you understand the risks, and what to do to protect yourself.

The risk of phishing

Victims of the EasyJet data hack could be targeted by phishing scammers. Phishing occurs when a cybercriminal poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information such as usernames, passwords, financial data, etc.

In particular, EasyJet is advising customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.

You should also follow these tips to protect yourself from phishing scams:

  • Always question uninvited approaches in case it’s a scam and don’t assume an email or phone call is authentic
  • Know that, just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine
  • Never disclose security details, such as your PIN or full banking password
  • Don’t click any suspicious links that claim to be from your bank (or anyone else). Always go to the organisation’s website by entering its proper address (or searching for it in Google)
  • Make sure your devices are protected by internet security software and keep this up to date
  • Be aware of common phishing techniques and keep an eye out for fraudsters who attempt to gather additional personal information
  • Listen to your instincts and stop conversations immediately if you are at all worried. A reputable organisation will never stop you from carrying out security checks.

The risk of financial fraud/theft

Over 2,200 customers had their credit card details accessed in the EasyJet data hack. With enough financial information, cybercriminals can set up fraudulent bank accounts and access your existing accounts. They can also make payments using your data, and even apply for credit/loans.

According to the BBC: the “stolen credit card data included the three digital security code – known as the CVV number – on the back of the card itself”. This is especially worrying as it makes it much easier for cybercriminals to misuse card information.

EasyJet warned customers whose credit card details were stolen in early April. If you were told your data was included in this breach and you haven’t already put steps in place to protect your finances, you must do so immediately. This includes:

  • Contacting your bank or credit card provider to let them know your data was violated (you should be issued with a new card and the bank might put additional security steps in place)
  • Keeping an eye on your transactions and contacting your bank or credit card provider immediately if you spot any unfamiliar or suspicious activity
  • Keeping an eye on your credit score for any unexpected dips
  • Contacting all the major credit reference agencies to ensure credit isn’t taken out in your name
  • Understanding that a legitimate bank or other financial organisation will never contact you ask for your PIN or full password, or ask you to move money to another account for fraud reasons
  • Registering with the Cifas protective registration service if you want to put an additional layer of security in place. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

In addition, you should look out for phishing scams that attempt to use your financial data against you.

If you experience any financial loss or fraud attempts that you believe are linked to this data breach, please make a note of these and keep any evidence. If you decide to make a data breach claim, we can use this to support your case.


The risk of COVID-19 scams

Because of COVID-19, there is heightened concern about personal data being used for online scams. And hackers will likely try to take advantage of people who are cancelling flights because of the pandemic.

What’s more, people are more susceptible to scams when they are already anxious, and the combination of being hacked and coping with the pandemic is likely to cause additional stress. Hackers may try to take advantage of this, so you must be on your guard.

As well as being careful of any communications that claim to come from easyJet or easyJet Holidays, people should beware in case the data accessed in this hack is used in additional COVID-19 scams. Here are just some of the coronavirus scams you should look out for.

If you are targeted by scams and believe these are linked to this data breach, please note what has happened and keep any evidence. If you decide to make a data breach claim, we can use this to support your case.


The risk of developing/ exacerbating mental health conditions

The impact of data breaches goes much further than financial losses. Many victims go on to suffer from stress, anxiety and distress. Following a robbery, people often feel shock, anger, fear, helplessness and panic. A personal data breach is a 21st-century version of being burgled.

Furthermore, the psychological effects of a data hack might not be immediately apparent. Knowing that your information has been “burgled”, living with the increased risk, and the extra vigilance needed can all cause distress to victims over time.

Renowned clinical psychologist Professor Hugh C. H. Koch is an expert on the typical psychological effects experienced by victims of data breaches. He told us:

“Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.”

So, following the EasyJet data breach, victims must keep an eye on their emotional wellbeing to ensure that their mental health doesn’t suffer.


Has the EasyJet data hack put you at risk?

At Hayes Connor, we have been contacted by people concerned that EasyJet has breached their data; many of whom are understandably upset and anxious about the breach.

Making things worse, EasyJet took four months to warn customers that hackers had their personal information. So, it is possible that you might have already experienced phishing attempts and financial losses because of the breach. If this has happened to you, we encourage you to let us know.

We are now registering victims of this breach to a no-win, no-fee group litigation action against the airline. Group actions can be a powerful tool and can have a bigger impact than a single claim.

The law understands the damage that can be caused by worry and upset. So today, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

FIND OUT MORE ABOUT OUR EASYJET DATA BREACH GROUP ACTION

To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.

There are no costs to register and no obligation to proceed.

REGISTER NOW


, ,

Remote working is causing data security concerns during the pandemic

At the start of the coronavirus pandemic, after lockdown measures were announced, our MD and data protection specialist Kingsley Hayes warned that careful consideration around data security was paramount for home working. He said that, as businesses started to navigate the unprecedented crisis, it was essential that they recognised the increased risks around data protection for employees working outside the office environment. He also recommended that organisations of all shapes and sizes implemented simple measures to mitigate the risk of a data breach.

But, while some businesses adapted their working practices to keep staff and clients safe while maintaining business as usual, not everyone paid attention to the warnings. And, a new report reveals that a staggering 46% of global businesses have encountered at least one cybersecurity scare since shifting to a remote working model during lockdown.

The survey by Barracuda Networks looked at over 1,000 business decision-makers in the UK, US, France and Germany. The findings revealed that 51% of organisations had seen an increase in phishing attacks since shifting to remote working (48% in the UK). Even worse, 41% admitted to reducing their cybersecurity budget to save money when tackling the pandemic.

Appropriate security measures must be established to reduce data security concerns during the pandemic

Commenting on the findings, Kingsley said:

It’s not surprising that organisations are facing increased risk. Many rushed to implement home-working and didn’t think about the increased vulnerability of this model. But, while this is understandable in the short-term, data privacy is not something customers are willing to sacrifice. And nor should they have to.

 “As we move towards a new normal – whatever that might look like – commercial survival will rely on the ability of organisations to adapt quickly. So, cybersecurity must remain a priority concern.

 “Data protection challenges are not going away. Indeed, the stats show that they are only going to increase. And with none of us knowing what the future looks like, organisations must find ways to meet their legal obligations. Especially as many plan to continue widespread remote working even after the crisis is over”.

Human error is the leading cause of data breaches

The vast majority of data breaches take place due to human error. So, to prevent violations, organisations must have a mobile working policy in place. And they must ensure that all staff are aware of the increased risks, and that everyone adopts the relevant security measures.

Kingsley added:

Data security doesn’t have to be difficult. Simple steps such as limiting remote access to files, encrypting data and making sure employees don’t use personal email addresses and devices to conduct company work can prevent costly mistakes.

 “And, the value of investing in regular staff training and data protection awareness programmes cannot be underestimated. Both at this critical time and beyond. Because, while the way in which businesses operate has changed, their data protection obligations remain the same.”

You can listen to Kingsley talking about the COVID-19 impact on data protection and the risks facing businesses in GDPR Now! The podcast looks at current topics in GDPR and all things privacy.

LISTEN HERE


For more advice on how to keep your data safe, follow Hayes Connor on Twitter and Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses. Or give us a call to discuss your case in more depth.

 

, , , ,

CVV security numbers exposed in EasyJet data breach

The more details come to light about the EasyJet data breach, the worse it gets. Earlier this week, the airline admitted that (as well as the personal details of nine million customers), over 2,208 passengers had their credit card details accessed in the EasyJet hack. And now, according to the BBC:

“Stolen credit card data included the three digital security code – known as the CVV number – on the back of the card itself”.

Why is the CVV number so important?

The CVV number provides added security against scams. It is needed to complete any transactions that are carried out online using a card. Under worldwide Payment Card Industry Data Security Standards (PCI DSS) companies are not allowed to save information about CVV numbers, because, if a hack takes place, it is very difficult for a cybercriminal to misuse card information without it.

And, while EasyJet is trying to PR the data breach as having information ‘accessed’ rather than ‘stolen’, if a hacker gets hold of your CVV number (along with other data), however they spin it, the results could be disastrous.

What can cybercriminals do with your financial data?

With enough financial information, cybercriminals set up fraudulent bank accounts and access your existing accounts. They can make payments using your data, and even apply for credit/loans.

Some financial data can also be used in targeted scams in an attempt to extract additional information from victims (e.g. banking passwords etc.). And hackers often sell stolen financial data to other criminals to use in future scams.

Even if no money is lost, the impact of a financial data breach can be significant. Many victims go on to suffer from stress, anxiety and distress due to living with the added risk and the extra vigilance needed. To make matters worse, the effects of a data hack might not be immediately apparent, as information is often used in batches over time. So there is no quick fix.

Protect your finances immediately

Customers whose credit card details were stolen in the EasyJet data breach were informed in early April. Although, we question why there was such a significant delay when the airline knew about the breach in January. If you were told your data was included in this breach and you haven’t already put steps in place to protect your finances, you must do so immediately. This includes:

  • Contacting your bank or credit card provider to let them know your data was violated (you should be issued with a new card and the bank might put additional security steps in place)
  • Keeping an eye on your transactions and contacting your bank or credit card provider immediately if you spot any unfamiliar or suspicious activity
  • Keeping an eye on your credit score for any unexpected dips
  • Contacting all the major credit reference agencies to ensure credit isn’t taken out in your name
  • Understanding that a legitimate bank or other financial organisation will never contact you ask for your PIN or full password, or ask you to move money to another account for fraud reasons
  • Registering with the Cifas protective registration service if you want to put an additional layer of security in place. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

There is a further threat to watch out for

In addition to the immediate financial threat, there is a secondary risk to look out for – and that’s phishing.

Phishing is where a fraudster poses as a legitimate organisation (e.g. EasyJet), the police, or someone else you trust to trick you into handing over sensitive information such as usernames and passwords. To protect yourself from phishing attempts we recommend that you be on your guard against attempts to extract further information from you. For example:

  • Always question uninvited approaches in case it’s a scam and don’t assume an email or phone call is authentic
  • Know that, just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine
  • Never disclose security details, such as your PIN or full banking password
  • Don’t click any suspicious links that claim to be from your bank (or anyone else). Always go to the organisation’s website by entering its proper address (or searching for it in Google)
  • Make sure your devices are protected by internet security software and keep this up to date
  • Be aware of common phishing techniques and keep an eye out for fraudsters who attempt to gather additional personal information
  • Listen to your instincts and stop conversations immediately if you are at all worried. A reputable organisation will never stop you from carrying out security checks.

Is EasyJet insured against the risk

As yet, the details are unclear. But in 2020, we would expect any large business to have insurance in place to protect itself against such breaches. Let’s face it, there are very few companies that don’t face cyber risk in this day and age. In fact, at Hayes Connor, we’ve been warning companies about this for quite some time.

Has EasyJet put you at risk?

At Hayes Connor, we have been contacted by people concerned that EasyJet has breached their financial data; many of whom are understandably upset and anxious about the breach. We believe that EasyJet may have failed to uphold your data security rights. Not just because of the initial hack, but because of the delay in informing customers. As such, we are now registering victims of this breach to a no-win, no-fee group litigation action against the airline. Group actions can be a powerful tool and can have a bigger impact than a single claim.

FIND OUT MORE ABOUT OUR EASYJET DATA BREACH GROUP ACTION

To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.

There are no costs to register and no obligation to proceed.

REGISTER NOW


, , , ,

EasyJet took four months to warn customers that hackers had their personal information

On 19th May 2020, EasyJet admitted that the personal details of nine million customers had been accessed and 2,208 customers had their credit card details stolen in a sophisticated cyber-attack. EasyJet knew about the hack as far back as January. Under the General Data Protection Regulation (GDPR), organisations must tell the ICO (the UK’s data protection regulator) about a personal data breach within 72 hours. And, if the breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”, organisations must also inform those individuals without undue delay. So why did the airline take four months to warn customers that hackers had their personal information following the EasyJet data breach?

EasyJet customers are at risk

EasyJet is trying to defend itself by claiming that “there is no evidence that this information has been misused by criminals”.  Instead, the airline claims that its investigation into the attack suggests that hackers were targeting “company intellectual property” rather than information that could be used in identity theft.  It is believed a group of Chinese hackers might be behind the attack, and that this group has previously targeted travel records and other data valuable for counterintelligence.

But EasyJet can’t possibly know the extent of the threat to individuals.

A data breach can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Even an email address can be used to extract additional data and cause harm. And hackers often sell stolen data to other criminals to use in future scams. As such, the impact of data breaches goes much further than financial losses. Many victims go on to suffer from stress, anxiety and distress. Furthermore, the effects of a data hack might not be immediately apparent.

Plus, 2,208 customers had their credit card details accessed. This is a very obvious threat. And, while these customers were informed about the EasyJet data hack in early April, that’s still a very significant delay.

Has Covid-19 changed things?

EasyJet claims that, since it became aware of the incident, it has become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams. It is true that hackers will likely try to take advantage of people who are cancelling flights because of the pandemic.

But, while COVID-19 gives cybercriminals an extra opportunity to contact and attempt to exploit customers, we would argue that this risk has always existed. As such, we find it hard to accept this justification for the delay.

EasyJet claims it wasn’t able to warn customers before now

As the details of this case emerge, EasyJet has also justified the delay by claiming that it took time to understand the scope of the attack and to identify who had been impacted. This might very well be the case (and the ICO’s investigation into the breach should establish if this is true). But, if EasyJet cared about the safety of its customers, it could have issued a general warning. This would at least have given people the opportunity to put additional security measures in place until the full details were known. By not doing this, EasyJet left millions of people vulnerable for months.

The ICO has raised concerns about phishing following the EasyJet data breach

On the recommendation of the ICO, EasyJet eventually alerted customers and warned them of the risk of phishing. Phishing is where a fraudster poses as a legitimate organisation (e.g. EasyJet), the police, or someone else you trust to trick you into handing over sensitive information such as usernames, passwords and financial data.

The impact of a phishing scam can be devastating, and we have seen cases where the financial losses only start to occur three to six months later. This is often because the data stolen is used in batches over time. As such, EasyJet customers affected by this breach must be on their guard. The ICO has advice on its website on how to spot phishing scams.

It is also possible that customers of EasyJet might have experienced increased phishing attempts over the past few months because of the breach. If this has happened to you, we would encourage you to let us know.

Has the EasyJet data breach put you at risk?

EasyJet warned customers whose credit card details were stolen in early April. All other customers will be notified no later than 26th of May 2020. If you have been a customer of EasyJet, we advise you to keep an eye out for this communication (and check your spam folder in case it is directed there).

At Hayes Connor, we have already been contacted by people concerned that EasyJet has breached their data; all of whom are understandably upset and anxious about the breach. We believe that EasyJet may have failed to uphold your data security rights. Not just because of the initial hack, but because of the delay in informing customers. As such, we are now registering victims of this breach to a no-win, no-fee group litigation action against the airline. Group actions can be a powerful tool and can have a bigger impact than a single claim.

FIND OUT MORE ABOUT OUR EASYJET DATA BREACH GROUP ACTION

To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.

There are no costs to register and no obligation to proceed.

REGISTER NOW


, ,

Cathay Pacific fined £500,000 by ICO for data breach

Cathay Pacific Airways Limited has been fined £500,000 by the Information Commissioner’s Office (ICO) following a massive data breach. The airline’s failure to secure its systems resulted in the personal details of some 9.4 million customers being exposed. Of these customers, 111,578 were from the UK.

The £500,000 penalty is the maximum fine possible under the UK’s previous data protection law (which was in place when the breach occurred). Had the Cathay Pacific data breach been considered under the GDPR, which has since replaced the older legislation, the resulting fine could have been much higher. For example, the ICO has unveiled plans to fine British Airways £183m for a GDPR breach. As such, it could be argued that Cathay Pacific got off lightly.

What happened in this case?

Cathay Pacific first identified unauthorised access to its systems in March 2018 after its database was subjected to a brute force attack. In response, the airline employed a cybersecurity firm, which subsequently reported the incident to the ICO.

The data exposed in the attack included names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. The damage that cybercriminals can affect with this information should not be underestimated.

Nevertheless, it took more than six months before the breach was made public. During this time, customers of Cathay Pacific were prevented from putting steps in place to protect their data.

Who is at risk following the Cathay Pacific data breach?

According to the ICO, the earliest date of unauthorised access to Cathay Pacific’s systems was October 14, 2014. And, the earliest known date of unauthorised access to personal data was February 7, 2015. So, customers who used the airline between 2015 and 2018 are right to be concerned. However, it is believed that Cathy Pacific has informed all affected individuals.

What did the ICO say?

The ICO found a catalogue of errors during its investigation. This included:

  • Back-up files that were not password protected
  • Unpatched internet-facing servers
  • Use of operating systems that were no longer supported by the developer
  • Inadequate anti-virus protection.

Commenting on the case, Steve Eckersley, ICO Director of Investigations, said:

“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

What about the victims of the Cathay Pacific data breach?

While the ICO’s fine is vital in holding the airline to account, none of the £500,000 will go to victims of the Cathay Pacific data breach. But, if you want to make a No-Win, No-Fee claim for any distress and/or loss suffered because of this privacy violation, we can help.

At Hayes Connor, we help people to claim compensation for data protection breaches, data hacks, consumer rights violations, and the misuse of personal information.

We also understand that making a compensation claim can be stressful; especially where your sensitive information has already been breached. That’s why we remove the jargon from the process and make sure you always know what’s happening with your case. Furthermore, our process is fully compliant with ICO guidance, and we never put your details at risk.

Click on the link below to tell us about your experience. There are no costs to do so and no obligation to proceed.

START A DATA BREACH CLAIM

, ,

Why the COVID-19 outbreak might lead to more data breaches

At Hayes Connor Solicitors, we’ve received thousands of enquiries from people who have suffered as a direct result of a data breach. Cybercriminals cause some of these cases. But, in many instances, seemingly small mistakes are bringing misery and upset to people across the UK. In fact, despite fears about cybercrime, human error is seven times more likely to cause data protection breaches than hackers.[1]

As businesses navigate the coronavirus crisis, many have responded by increasing home working. But, at this challenging time, it is highly likely that organisations will suffer more mistakes and more data breaches. And there are two key reasons why.

1. In the rush to get up and running, some companies have not implemented appropriate security measures

The vast majority of data breaches happen because of inadequate security processes. Even when a privacy violation occurs as the result of a hack or other form of cyberattack, a lack of robust safety measures is usually to blame. Organisations that have not invested the time to protect their data are leaving the door open for criminals to exploit.

The impact of the coronavirus crisis will be far-reaching, and long-term commercial survival will rely on the ability of organisations to quickly adapt working practices to keep staff and customers safe while maintaining business as usual. So, as we all adapt to the new normal, businesses that haven’t yet reviewed their data security – especially for mobile workers – must do so.

Things businesses must look at urgently include:

  • Reviewing data and security processes. Because once organisations know what they are dealing with, they can document the controls they have in place and evaluate any potential risks
  • Establishing where improvements are needed and putting the necessary security measures in place. For example, appropriately limiting remote access to files and information and encrypting personal and sensitive data
  • Implementing/updating their mobile working policies.

In addition, organisations should also consider things like penetration testing, prompt attention to updates and patches, on-going maintenance of cybersecurity systems, and making sure that there are swift response protocols in place should data become compromised. Furthermore, for businesses that are using apps and other technology to work remotely, they must scrutinise third-party integrations to assess any potential impact on security.

2. People make mistakes. Even more so when they are worried and stressed

People are the biggest cause of data breaches. And, at a time when we are all feeling more anxious than usual, it is to be expected that mistakes will happen. And indeed, that they could increase; especially in situations where appropriate homeworking procedures haven’t been established.

Common causes for data violations include:

  • Information being sent to the wrong recipient
  • Loss of theft of paperwork
  • Failure to redact data
  • Failure to use bcc when sending an email
  • Unencrypted devices being lost or stolen.

Also, employees often fall victim to cyber scams that inadvertently allow criminals to access their employer’s systems. In March 2020, coronavirus-related fraud reports increased by 400%, and, when people are already anxious, they could be more susceptible to fraud. So, everyone must be on their guard during the current pandemic – and beyond.

One of the most important things an employer can do to reduce the risk of a data protection failure is to carry out training. This is vital to ensure that all staff are aware of the risks – and that they feel more confident when working from home. And now is the perfect time to introduce a remote training programme.

The bottom line is that organisations are still responsible for data security. And if they do not take this obligation seriously, they will be liable for any work-based privacy errors – regardless of where that work is taking place.

Data protection is essential during the COVID-19 pandemic. And beyond

Today, technology is making it possible for businesses to adapt to employees working remotely. However, being mindful of potential data protection risks, and quickly implementing appropriate security measures, should be front of mind.

For more information on how to keep your data safe, follow us on Twitter and Facebook. Alternatively, if you have been the victim of a data breach, please contact us to find out how we can help. Our initial advice is completely free, and there is no obligation to process.


[1] Freedom of Information Act Request 2017/2018