Another Day; Another Police Data Breach  

The largest police force in the UK, the London Metropolitan Police (also known as the London Met), has fallen victim to a substantial data breach. Approximately 47,000 members of the police staff have been informed about the potential compromise of their personal data. This includes details such as photos, names, and ranks. The breach occurred when criminals targeted the IT systems of a contractor responsible for producing staff identification cards.

While this breach has raised concerns about the security of sensitive information, it is important to note that details like identification numbers and clearance levels might have been exposed as well. However, it has been confirmed that the breached data did not include home addresses of the affected Met police personnel. There are fears that organised crime groups or even terrorist entities could be responsible for this breach of security and personal data.

Furthermore, the breach has amplified security apprehensions for London Met police officers from Black, Asian, and Minority Ethnic backgrounds. Former London Met Police Chief Superintendent Dal Babu explained that individuals with less common names might face a heightened risk. Criminal networks could potentially locate and target them more easily online, compared to those with common names. This concern is particularly relevant for officers in specialised roles like counter-terrorism or undercover operations.

Reacting to this situation, former Met commander John O’Connor expressed outrage, highlighting concerns about the adequacy of the cyber security measures put in place by the contracted IT security company, given the highly sensitive nature of the information at stake.

This incident presents a significant challenge to the UK Home Office, and it is likely that the government will be compelled to swiftly review and bolster security protocols. This step is necessary to ensure that the personal data of security service personnel is safeguarded with the utmost levels of privacy and data security. Both the Information Commissioner’s Office (ICO) and The National Crime Agency have initiated investigations.

This follows the data breach of the Police Service of Northern Ireland (PSNI) where, in response to a Freedom of Information request, the PSNI mistakenly divulged information on every police officer and member of police staff. Over in England, Norfolk and Suffolk Police also recently announced it had mistakenly released information about more than 1,200 people, including victims and witnesses of crime, also following an FOI request. Last week, South Yorkshire Police referred itself to the information commissioner after “a significant and unexplained reduction” in data such as bodycam footage stored on its systems, a loss which it said could affect some 69 cases.

These incidents underscore the urgency of maintaining robust data protection measures and raising awareness about potential risks, especially within law enforcement agencies. It also requires Data Controllers to ensure that they have processes in place to comply with the requirements of GDPR (Article 28) when it comes to appointing Data Processors.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

Privacy Concerns Raised Over Adoption Records on Genealogy Website 

Last week, the names and details of individuals adopted over the past century were found to be accessible on the genealogy website, Scotland’s People. The exposure of these records, alongside other recent data breaches, has ignited a discourse on privacy and security.

Upon being alerted by a concerned mother, who discovered her adopted child’s details on the website, the NRS acted promptly, removing the information within 36 hours. The mother detailed her experience in an interview with BBC Scotland News. She highlighted the potential risk of the website inadvertently enabling individuals to discern the adopted child’s new surname. This revelation is alarming, especially as many adoptive parents opt to retain the first names of their children.

Diving deeper into the website’s database, it was revealed that the platform had information on adoptions dating as far back as 1909, with the most recent entries from 2022. Nick Hobbs, the acting Children’s Commissioner in Scotland, said that the exposed data could be in violation of both the European Convention on Human Rights and the United Nations Convention on the Rights of the Child, both of which enshrine the right to privacy.

While the NRS responded by temporarily removing the records from the site, they highlighted their statutory responsibility to maintain open and searchable registers. They also stressed that this incident didn’t classify as a personal data breach. Nonetheless, as a precautionary measure, they informed the Information Commissioner’s Office (ICO) about the concerns raised.

The ICO, in its statement, underscored the importance of sensitive personal data being managed in congruence with data protection laws. They clarified that while the NRS did notify them, they hadn’t received a formal breach report.  

This incident serves as a poignant reminder of the complexities of balancing transparency and privacy in the digital age. As the debate around personal data continues to evolve, it underscores the need for stringent measures and vigilance in the handling of sensitive information, especially when it pertains to vulnerable demographics.
It is paramount that organisations ensure robust data governance practices to prevent potential breaches and safeguard individual rights. 

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

Ibrahim Hasan’s BBC Radio Ulster Interview about the PSNI Data Breach 

Today, Ibrahim Hasan gave an interview to BBC Radio Ulster about the the Police Service of Northern Ireland’s (PSNI) recent data breach. In response to an FOI request, PSNI shared names of all officers and staff, where they were based and their roles. Listen below. More about the PSNI and the Electoral Commission data breaches here.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. Our Data Mapping workshop is proving very popular with IG and DP Officers who wish to develop this skill.

The Electoral Commission and PSNI: One Day, Two Data Breaches!

Yesterday two major data breaches were reported in the public sector. Both have major implications for individuals’ privacy. They are also a test for the Information Commissioner’s Office’s (ICO) approach to the use of its enforcement power.

In the morning, the Electoral Commission revealed, in a public notice issued under Article 33 and 34 of the UK GDPR, that it has been the victim of a “complex cyber-attack” potentially affecting millions of voters.
It only discovered in October last year that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.

The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.This includes those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters.  

The Commission said it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people. It has warned people to watch out for unauthorised use of their data. The ICO has issued a statement saying it is currently making enquiries into the incident.

And then late last night, and perhaps even more worrying for those involved, the Police Service of Northern Ireland apologised for a data breach affecting thousands of officers. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours.

The ICO has just issued a statement Cabinet Office the PSNI data breach. A few years ago such data breaches would attract large fines. In 2021 the Cabinet Office was fined £500,000 (later reduced to £50,000) for publishing postal addresses of the 2020 New Year Honours recipients online. In June 2022 John Edwards, the Information Commissioner, announced a new approach towards the public sector with the aim to reduce the impact of fines on the sector. This centred around issuing reprimands rather than fines for the public sector. Since then no public sector organisation has been fined despite some very serious data breaches. In May 2023, Thames Valley Police (TVP) were issued with a reprimand after an ICO investigation found that TVP had inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness (the data subject). As a result of this incident, the data subject moved address and the impact and risk to the data subject remains high.  Many data protection experts have expressed concern about the public sector’s special treatment. In relation to yesterday’s data breaches, anything other than serious enforcement action will lead to further questions for the ICO. 

The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. Had the breach included addresses, it would have been even more serious. Both these breaches are going to test the ICO’s public sector enforcement policy.

Ibrahim Hasan has given an interview to BBC Radio Ulster about the PSNI data breach. Listen here.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. Our Data Mapping workshop is proving very popular with IG and DP Officers who wish to develop this skill.

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

The Marriott Data Breach Fine

Niagara Falls, Ontario, Canada - September 3, 2019: Sign of Marriott on the building in Niagara Falls, Ontario, Canada. Marriott International is an American hospitality company.

The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.  

The Data 

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.  

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK. 

The Cyber Attack 

In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network.
With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker. 

The ICO acknowledged that Marriott acted promptly to contact customers and the ICO.
It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014. 

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.  

It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November. 

The Information Commissioner, Elizabeth Denham, said: 

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.” 

Marriott said in statement:  

“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.  

This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000. 

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online GDPR Practitioner Certificate is fully booked.We have added more courses. 

Recovering Personal Data After Inadvertent Disclosure: The Injunction Route

photo-1566125882500-87e10f726cdc

Even with the best data protection training and awareness programme, mistakes can and do happen when organisations process personal data of a sensitive nature. Personal data can be lost or simply sent to the wrong person. Two recent Hight Court cases involve local authorities seeking injunctions in an attempt to limit the impact caused by inadvertent disclosures.

In Redbridge LBC v Jennings [2020] 5 WLUK 122 (to the best of our knowledge, only reported on Westlaw) the London Borough of Redbridge was granted an injunction to prevent X from publishing highly sensitive information about another family, that the Council had inadvertently sent to X. London Borough of Lambeth v Anthony Amaebi Harry [2020] EWHC 1458 (QB) was partly about a Breach of Confidence action by Lambeth Council against the Respondent who had also received third-party personal data. Let’s consider both cases and what we can learn from them.

The Disclosures

In the Redbridge case, a council employee wrote to X regarding her family. However the employee inadvertently included documents, containing highly sensitive information about another family (Family A), in the envelope. When X received the documents, she realised that she should not have seen them and so she returned them to the council.  However, it later transpired that X had taken copies of the documents and that she planned to visit Family A to inform them about the council’s error. X also indicated that she would not destroy the copies that she had retained but she would give them to her solicitor. It is clear that X understood the confidential nature of the documents, and that she did not intend to share them with anybody else. However, it appears that she intended to retain the documents (in the hands of her solicitor) for the purpose of pursuing her own data protection claim against the council. X alleged that information about her family had been sent to a third-party who had “knocked on her door to return the documents”. At the time of writing it is uncertain whether X has brought such an action.

In the Lambeth case, Mr Harry made a subject access request (in November 2018) to the Council seeking information held about his child. It appears that another person (HJ) had made allegations to the Council about the care that Mr Harry and his wife were providing for their child. Lambeth Council provided the information to Mr Harry by electronic means. However it turned out that Mr Harry was able to manipulate the data (by removing the redactions that the Council had made) and was able to identify HJ, who had made the initial allegations. He commenced legal proceedings against HJ for defamation.

Lambeth Council sued Mr Harry for Breach of Confidence. It claimed that the information was provided to Mr Harry in circumstances where he knew it was confidential and that he had breached that confidentiality by “unredacting” the data, retaining it and using it as evidence to start court proceedings against HJ. The Council’s rationale for bringing the Breach of Confidence action was that informants have an expectation of confidentiality. The Council obtained an interim injunction in February 2019 to restrain Mr Harry from using the information he had acquired.

A Notifiable Data Breach

Both cases involve a personal data breach as defined by  GDPR Article 4 (12):

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Article 33 of GDPR requires a Data Controller to notify the Information Commissioner’s Office (ICO) about a personal data breach “without delay and where feasible, not later than 72 hours after becoming aware of it”. Notification is not required if the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Disclosing highly sensitive information about one family to another is likely to be a notifiable breach. A failure to adequately redact the name of a person who makes confidential allegations is also likely to have the same result.

The problem with inadvertent and accidental disclosures is the Data Controller may not necessarily be aware of them for some time. In the Redbridge Council case, X told the Council she had received the documents by mistake. According to the Article 29 Data Protection Working Party Guidelines on Personal Data Breach Notification under Regulation 2016/67, when a third party informs a Data Controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure, the Data Controller has become “aware” of the personal data breach. Where a Data Controller has been presented with clear evidence of a confidentiality breach then there can be no doubt that it has become “aware”. In the Redbridge case the Council took a decision to self-refer to the Information Commissioner’s Office; although interestingly the facts suggest that this happened prior to the GDPR coming into force.

In the Lambeth Case it is not entirely clear when or how the Council became aware that Mr Harry had been able to manipulate the data. However the facts, as recorded in the judgement, suggest that it became aware sometime in late 2018 when the ICO investigated complaints made by Mr Harry about the Council’s handling of his subject access request. In other words, it does not look like the Council was aware of the breach until the ICO investigated, although this is not certain from the limited factual information in the judgment.

When a Data Controller becomes aware that personal data has been unlawfully disclosed to a third party, it needs to contain the incident and assess the risk that could result from it. One way of doing this is to request the recipient to either return the information or to securely destroy it. However the Article 29 Guidelines make it clear that the Data Controller must “trust” the recipient to do this. In both cases it was quite clear that the recipients had no intention of safely destroying the personal data or returning it to the respective councils. In both cases the recipients intended to use the data as evidence in their own legal claims. In both cases the Councils sought an injunction to prevent the recipients from misusing private information and/or a Breach of Confidence.

Injunctions and Offences

Before granting an injunction, the High Court is required to consider whether an injunction would affect a person’s right to freedom of expression; for example his/her right to publish the information online or via the press. It can only grant an injunction if it is satisfied that publication should not be allowed.

In the Redbridge case the Court considered that the information was highly sensitive and that there would be a breach of confidentiality if the documents were either revealed to the press or published on-line. It therefore granted the injunction. In the Lambeth case the Court granted an interim injunction but the case concerning the Breach of Confidence has been listed for trial in July 2020 where Mr Harry will argue that he has a public interest defence.

In April 2020 the ICO decided to prosecute Mr Harry (in the Lambeth case) for the two offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the Data Controller, contrary to under s.171(1) of the Data Protection Act 2018 (“the DPA”) and the offence of  knowingly or recklessly processing re-identified personal data, without the consent of the data controller, contrary to the S.171(5). There are no further details about this prosecution at this moment in time.

Lessons Learnt

The incidents in the cases referred to above were not major cyber-attacks or large-scale disclosures. In one case personal data was inadvertently put into an envelope. In another personal data was not properly redacted. But the consequences were potentially severe and could have had significant and adverse consequences for the data subjects concerned.

Both cases show that, although breach notification goes a long way towards addressing issues of awareness and accountability, Data Controllers may need to take further legal action, in the form of an injunction, to prevent collateral damage from an accidental disclosure. The ICO can use its enforcement powers under the DPA 2018 to prosecute people who unlawfully reidentify personal data and seek to process it, but this may come too late if the damage is already done.

GDPR is going global! Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. Want a GDPR qualification  Our next online  GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the course starting at the end of August.

online-gdpr-banner

The EasyJet Data Breach: GDPR Fine Arriving?

robert-hrovat-3hTBB-ISAJg-unsplash

On 19th May 2020 it was reported that in January 2020 EasyJet was subject to what they describe as a “highly sophisticated” cyber-attack, resulting in the personal data of over 9 million customers being “hacked”. Detailed information about the attack is sparse, with most media sources repeating the same bare facts. Some of the information below is based on the media reports and emails sent to EasyJet customers. At the time of writing there was no information about this on the Information Commissioner’s Office web site.
What little information is available points to a number of breaches of the General Data Protection Regulation (GDPR) which could result in the Information Commissioners Office (ICO) imposing a monetary penalty.

However, in view of the ICO’s reassessment of its regulatory approach during the current Coronavirus pandemic and reports that it has further delayed the imposition of its £183 million fine against British Airways, readers may be forgiven for thinking that EasyJet will not be on the receiving end of a fine any time soon. In any event, it seems likely that the ICO will be forced to consider the fact that EasyJet, along with the whole airline industry has been very severely affected by the Coronavirus and faces huge financial pressures.
The consequences for EasyJet in respect of this breach will remain unclear for many months and may disappoint customers whose personal information has been stolen.

Breach of Security

All Data Controllers must comply with the data protection principles set out in Article 5 of GDPR. In particular, Article 5 (1) (f) (the security principle) requires Data Controllers to process personal data in a manner that “ensures appropriate security” of the personal data that they process. That  includes protecting against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” This obligation to process personal data securely is further developed in GDPR Article 32 which requires Data Controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The steps that a Data Controller has to take will vary, based upon “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. In other words, Data Controllers must implement security measures that are “appropriate to the risks” presented by their processing, which reflects the GDPR’s risk-based approach. So, for example, a village hairdresser will not be expected to take the same amount of security precautions as an international airline handling personal data (and often Special Category Data) about millions of people. We do not know what cyber-security precautions EasyJet had in place to prevent this-attack, however it is arguable that it should have reviewed its security arrangements (which it may well have done) in the wake of the British Airways attack that was widely reported in September 2018.

There is no doubt that the incident amounts to a “personal data breach” under GDPR Article 4 (12) since it involves a breach of security leading to the unauthorised access of the personal data of about 9 million people. Of the 9 million people affected, 2,208 had their credit card details stolen.

Breach Notification

When a Data Controller becomes aware of a “personal data breach” it must notify the ICO “without undue delay, and where feasible not later than 72 hours after becoming aware of it” (GDPR Article 33). The controller is relieved from this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. That does not appear to be the case here given both the scale of the attack and the fact that the hackers gained access to customers’ credit card details and travel plans. The media reports indicate that the ICO was informed about the attacks that took place in January 2020, but there is no indication exactly when it was informed. If EasyJet did not notify the ICO within the time frames of Article 33, then this constitutes a further breach of the GDPR.
Phased notification is allowed though when a Data Controller does not have all the full details of the data breach within the 72 hours. This is likely to be the case in the EasyJet case where they instructed an immediate forensic investigation to establish the nature and extent of the breach, but the initial notification should have been within the 72 hour period as per Article 33.

Notifying Easy Jet Customers

GDPR Article 34 requires a Data Controller to notify any Data Subjects when the personal data breach is “likely to result in a high risk to the[ir] rights and freedoms”. The threshold for communicating a data breach to Data Subjects is higher than for notifying  the ICO and therefore it will not always be necessary to communicate with affected Data Subjects.
Data Controllers must assess the risk on a case by case basis. However, the Article 29 Working Party Guidelines on Breach Notification suggests that a high risk exists when the breach may lead to identity theft, fraud or financial loss. This would appear to be the case in the EasyJet breach. The GDPR does not state any specific deadline for notification but it does say that it should be “without undue delay”.

Media reports suggest that EasyJet customers were notified in two separate tranches.
The first notification to customers, whose credit details were stolen, was sent by email in early April. The second tranche, to all other customers, was sent by 26th May.
Customers who received emails at the end of May were advised that their name, email address and travel details were accessed (but not their credit card or passport details).
The purpose of notifying customers is to enable them to take steps to protect themselves against any negative consequences of the breach. The email suggested that customers take extra care to avoid falling victim to phishing attacks.

It remains to be seen whether EasyJet customers were notified “without undue delay” given that the airline became aware of the breach in January but the first notification to customers whose credit card details were stolen was not until end of April. It is plausible that this may have been too late for some customers. If this is the case then not only would this result in a  further breach of the GDPR, but could expose EasyJet to claims for compensation under GDPR Article 82. Indeed, according to SC Magazine, a law firm has already issued a class action claim in the High Court. Note that according to Google v Lloyd (and now under GDPR) claimants not do now have to show direct material damage to claim compensation.

Will Easy Jet Be Fined?

The details available to date certainly suggest a breach of Article 5 (1) (f) and possibly Article 32. In addition, it may be the case that EasyJet failed to notify their customers without undue delay and have breached Article 34. Breaches of these provisions could theoretically result in the ICO imposing a monetary penalty of up to 4% of EasyJet’s total worldwide annual turnover in respect of a breach of Article 5 and up to 2% of its total worldwide annual turnover for breaches of Articles 32 and 34.

It is too early to compare the circumstances of the EasyJet breach with the British Airways breach. The numbers of Data Subjects whose credit card details were involved in the BA attack was reported to be half a million (compared to 9 million with the EasyJet attack). However the number of people whose credit card details were stolen in the BA attack was much greater (about 380,000 booking transactions), although British Airways notified its customers immediately. Therefore the scale and gravity of the two breaches are not identical. The ICO will need to take these factors into account in deciding on the level of any fine. The maximum that she could fine is (as stated above) up to 4% of EasyJet’s annual turnover. It is not clear what this figure is but the EasyJet Annual Report for 2019 states that the company’s total revenue in 2019 was £6,385 million. In contrast BA’s total revenue was £12.2 billion. The fine will almost certainly be smaller than that imposed on British Airways, but it really remains to be seen how the ICO will react to the financial pressure that EasyJet are clearly under as a result of the Coronavirus pandemic. All we can do is watch this space.

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places left  on the course starting on 2nd July.

online-gdpr-banner

 

%d bloggers like this: