Updated: ICO a ‘toothless tiger’ claim commentators, as EasyJet breached

News by Andrew McCorkell

The Information Commissioner's Office has not done enough when it comes to GDPR, some industry experts have claimed.

The UK has fallen behind other nations in the EU when it comes to tackling GDPR says Sarb Sembhi, CTO & CISO of Virtually Informed, who is highly critical of the ICO.

There have been claims the ICO is a 'toothless' tiger, given its own statistics and the growing perception that there are further delays in the BA and Marriott investigations – two of the most high profile cases with the largest proposed fines to date.

Sembhi also pointed out that in comparison to other Data Protection Supervisory Authorities in Europe, the ICO’s Q1 Fines and enforcement notices lists only two fines.

(One of these was an airline, Cathay Pacific, this fine was issued under the previous law with a maximum fine of £500,000. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.

The other fine was DSG Retail which is Currys PC World and Dixons Travel in the retail sector, after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.)

“I would guess that the ICO would argue that it has to be proportionate and consider the context of each one,” Sembhi said.

"The most recent airline breach is the EasyJet breach, and the context is that it has come to light during the Coronavirus, meaning that either the ICO will or may be forced to take into consideration the fact that the airline industry has been badly affected.

“Which begs the question, when the world economy and airline are doing well, would the ICO make their fines higher to allow for the contextual thinking? The chances of that ever happening are absolutely zero, neither the UK nor the ICO would ever contemplate such unfairness.

“I fear that out of all the Data Protection Supervisory Authorities in Europe, the UK ICO will no longer be considered as the toothless tiger, but more a kitten that might scratch occasionally but unlikely to do so as long as you keep stroking it.”

In an email so SC Media UK, responding to these comments, an ICO spokesperson said: “Our role as an independent regulator is to act in the public interest, and our approach has always been to be a pragmatic and proportionate regulator.  As set out in our Regulatory Action Policy, the ICO will continue to act proportionately, balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking into account the particular challenges being faced at this time.”

Tony Pepper, CEO, Egress emailed SC to comment on the statistics about breaches reported to the ICO suggesting, "The ICO’s figure, sadly, will only be the tip of the iceberg for the actual number of misdirected emails in the UK. These incidents traditionally require employees to notice they’ve made a mistake and self-report – and not everyone is willing to do that for fear of repercussions. Instead, it’s up to organisations to get on the front foot with solving this problem, looking to intelligent email security that uses the latest in machine learning to detect mistakes and prevent breaches before they happen – enabling employees to work both more productively and securely.”

Pepper adds, “Misdirected emails are the number one security threat to businesses globally – so it’s no surprise they’re top of the ICO’s list for reported cyber incidents. Everyone has access to email, and while organisations often focus on how it can be exploited for inbound attacks like phishing, ‘inadvertent insiders’ making mistakes are a far greater risk. Remote working during the Covid-19 lockdown has only amplified this. We’ve seen an average 23 percent rise in email usage, as organisations rely even more heavily on it as a critical business communication tool."

Live investigation

Following the EasyJet breach, the ICO published advice on its website about how to spot potential phishing emails.

A spokesperson added: “We have a live investigation into the cyber-attack involving EasyJet.

“People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.

“Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks, and scam messages." 

In the attack on the airline, the hackers accessed email addresses and travel details but there is no evidence to date that the information has been misused, Easyjet said in a Notice of Cyber Incident.

The airline described how hackers have stolen the personal details of nine million Easyjet customers.

That includes the credit card details of more than 2,200 people in what the airline described as a “highly sophisticated” attack.

In 2018 British Airways reported that hackers had accessed personal information, including bank details, of 500,000 of its customers, according to the Times.

The ICO  has issued a notice of intent to fine BA a record £183 million, with BA understood to be challenging the scale of the proposed fine in its representationas as part of the regulatory process. Fines can changed depending on these representations.

Airline sector already 'on its knees'

Matt Walmsley, EMEA director at Vectra said that transportation as part of critical national infrastructure is a tempting target for nation-state threat actors and cybercriminals alike.

Walmsley said: “While EasyJet characterises this attack as coming ‘from a highly sophisticated source’ we’ve yet to see details that corroborate the sophistication or attacker attribution.

“Even if EasyJet were found to be significantly accountable by the ICO I doubt there would be much appetite for a big GDPR fine when the sector is already on its knees and close to collapse for some airlines.”

Check Point’s UK regional director, Andy Wright said the detailed personal information stolen from the website is likely to be traded between hackers and “used as bait for targeted phishing attacks” against customers, especially in emails claiming to be from EasyJet or an affiliate company.

“It’s just a numbers game for hackers, as they can easily send tens of thousands of emails in the hope of tricking a handful of customers,” Wright said.

“We have seen a sharp increase in phishing attempts and cyber-attacks over recent weeks, with many related to the Covid-19 pandemic. I would not be surprised to see further attacks launched using this stolen data.”

Cath Goulding, CISO Nominet said that the airline industry was already facing "one of its most testing times” before adding: “While EasyJet has stated that there is no evidence that information has been misused yet, given the breadth of data that airlines hold, follow-up phishing attacks could be damaging.

"This is not to mention the fact that the data flowing between airline and customer is often to prove identity, and is consequently especially valuable."

Matt Aldridge, principal solutions architect at Webroot agreed that we are in the middle of a difficult time for airlines meaning a data breach will not help in retaining customers’ trust.

“EasyJet will quickly need to explain why it has taken so long since January to announce this and why the affected customers have still not been informed,” Aldridge said.

“The fact that it has been working with ICO and NCSC is reassuring, and hopefully this will reduce any potential GDPR fines, but either way this is not going to do its business any favours."

Aman Johal, director and lawyer at Your Lawyers, said that the news that nine million EasyJet customers have had their personal information exposed is another damaging blow to the airline.

“Although EasyJet has said that there is no evidence any customer data has been misused, the fact that over 2,000 customers have had their credit card details exposed is disastrous," Johal said. 

“As advised by the ICO, contacting those who may have been affected is the first step for EasyJet, but the company will have to do much more to regain their trust.

“In 2018, competitor airline British Airways was penalised for a data breach affecting half-a-million customers.

“The ICO announced its intentions to issue the airline a record-breaking fine of £183 million, which is in addition to possible compensation pay-outs for customers that could reach up to £3 billion. With EasyJet’s data breach affecting many more customers, it too could face significant fines and compensation claims.”

Chris Harris, EMEA technical director at Thales said there is a lot more companies can and should be doing to protect their customers’ data from malicious actors.

He said: “Businesses need to start to understand that they will eventually suffer a data breach, no matter how robust they think their security systems are – it’s a question of ‘when’, not ‘if’."

Alun Baker, CEO Clario said that with most of the world on lockdown, most people are living digitally in a way that has never been seen before. 

“We’ve now seen the likes of British Airways, Marriott and Travelex admit to personal customer data being stolen which does not instil consumer confidence,” Baker said.

A perfect storm

Paying attention to privacy settings, only using secured networks and using multi-factor authentication are all simple steps that can be taken to protect personal information but businesses must also take responsibility.

Andy Barratt, UK managing director at global cybersecurity consultancy Coalfire, said the aviation industry is experiencing something of a “perfect storm”. 

“Airlines, and the wider travel sector, are consistently targeted by cybercriminals due to a large amount of digital transactions, credit and information sharing needed to ensure the industry operates smoothly,” Barratt said.

“Notably, the direct-to-consumer booking models used by budget operators circumvent some of this but mean that there is little room for them to outsource risk when it comes to cybersecurity – as EasyJet will no doubt now be aware.”

Austin Berglas, global head of professional services at BlueVoyant spoke about the threat of phishing campaigns, but also that sensitive accounts might be at risk as email account passwords can be obtained in the Dark Web - many users reuse passwords across multiple accounts. 

Berglas added: “The use of multi-factor authentication and practising proper password hygiene is a necessary step to best avoid account takeovers which may lead to Identity Theft or Financial Fraud - in addition, putting in place a credit freeze will also greatly reduce the chances of identity theft."

On a more technical point Peter Galvin, chief strategy officer at nCipher Security added: “The key step after the data breach is to limit the threat surface. To prepare for such situations, you have to put in place dynamic isolation and micro-segmentation, both of which enable tech specialists to contain the threat surface while keeping operations running.”

Phillip Hay, head of threat intelligence analysis at Mimecast said that to properly protect data, security teams within an organisation must assess their database security and always follow best practice

“Database misconfiguration is often overlooked and so it’s crucial that IT teams understand their environment and know where the data is being stored so that they are able to identify any vulnerabilities quickly and easily and issue a patch update where required,” Hay added.

"It is also advisable that organisations carry out pen testing so that they are able to identify any flags quickly. It is also important to ensure staff are trained correctly so that they can be aware of basic data security principles.

“The importance of correctly securing data cannot be underestimated. You only need to look at organisations who have suffered from large-scale breaches previously to see the reputational impact that they have suffered."

In a statement from EasyJet, CEO Johan Lundgren said: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers' personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams.

“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.

“Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data.

“We would like to apologise to those customers who have been affected by this incident."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews