Easyjet customers to sue over data breach – Comment from Veracode cybersecurity expert


The news this week that EasyJet customers are set to sue over the recent data breach, came after the budget airline was targeted with a “highly sophisticated cyber-attack”. We know IT in the airline industry is underfunded, but this breach and what it can mean for financial penalties due to GDPR rule break (plus COVID problems) mean that Easyjet could really be in trouble. It is clear that better education is needed if the spread of malicious files like ILOVEYOU, WannaCry, and these types of hacks to EasyJet are to cease or at least slowdown, but the cybersecurity community remains largely unconvinced that stunts like this really offer any value.

Paul Farrington, EMEA CTO at Veracode, had the following to say about the knock-on effect that security flaws have on the airline industry. 

“Who would have thought that after the monumental damage caused from data breaches on BA and Cathay Pacific, airlines would still suffer at the hands of cybercriminals? Due to the increase in airline attacks in the past 12 months, there is no denying that the EasyJet attack showcases the knock-on effect that security flaws can have on travel businesses due to the lack of security training and patching policies.

We know IT in the airline industry is underfunded, but this breach and what it can mean for financial penalties, due to the possible GDPR rule break means EasyJet could be in for some turbulence. While EasyJet is saying they suffered a “highly sophisticated” attack, we need more information from the airline as our experience shows that cybercriminals have been using uncomplicated attack methods on unpatched software to cause lasting brand and reputational damage.”

“In our latest State of Software Security report, it reveals that the longer flaws stick around, the chances they will be corrected diminish, which adds to a business’s security debt. Security debt — defined as aging and accumulating flaws in software — is emerging as a significant pain point for the airline industry. This is often due to the business continually being under pressure to prioritise making customer experience as frictionless as possible at the cost of securing the software. In this case, EasyJet may have strayed too far from good design in striving for user convenience, rather than addressing security considerations.

“Those airlines that place security at the heart of development and engineering teams, perhaps embracing DevSecOps, stand the best chance of being the most agile and resilient to challenges from the outside world. EasyJet could very well come through from this, but not without paying off its security debt.”