On the 19 May 2020, EasyJet announced that it had suffered a data breach in January. The company informed the United Kingdoms’ (UK) Information Commissioners Office swiftly but waited four months before notifying its nine million affected customers. The leaked data includes full names, email addresses, booking dates, as well as departure and arrival dates. EasyJet is now faced with a potential £18 million liability lawsuit which has been brought against it on behalf of its customers. The affected customers have the right to compensation under Article 82 of the European Union General Data Protection Regulations (GDPR). The company could also be fined up to twenty million Euros or 4% of the company’s total annual turnover. This is not the first time a large company has faced staggering amounts of money for data breaches. In 2019 British Airways faced a £183 million fine for a data breach that occurred in 2018. Marriott Hotels, Facebook, and Wonga also suffered data breaches in 2018.
With fines now having the potential of being significantly greater under the GDPR along with the possibility of having to compensate affected customers, all businesses need to be more cyber aware and secure. The Department for Digital, Culture, Media and Sport reported that in 2019 the average cost to UK businesses for lost data was £4,180 and £9,470 for charities.
The internet of things which is all sensors and smart objects, with the purpose of interconnecting all things is incredibly vulnerable to attacks. Cameras, webcams, cars, mobile phones, and even smart toilets have been found to contain security vulnerabilities. Smart devices, security systems and control systems for heating, air conditioning, and elevators are all connected to the internet. Often these devices are only protected with default passwords. Some require no verification at all. As they are all connected, hacking a smart device can act as a gateway into your computer systems. It is vital that businesses think beyond computers and laptops when it comes to cyber security. More than 60% of online fraud is achieved through mobile phones.
Employee error can often be a cause of a successful cyber-attack whether by accident or intent. Inadequate training of employees can lead to successful attacks as training employees is often the most underfunded area of many companies’ cyber security budgets.
Cyber-attacks can come in the form of fraudulent emails trying to extract security information known as phishing. Phishing emails can also contain malicious software which once downloaded can infect a computer. It could be a bot which secretly runs in the background and allows remote access. Several bots will form a botnet that can then be instructed to perform synchronised tasks. An innocent looking program may contain a trojan that gathers information, intercepts messages, or installs a back door to allow remote access. Ransomware can encrypt the files on a device. The victim is then blackmailed to pay money to receive the key that decrypts the files. Ransomware can be so sophisticated that reverse engineering is not possible. If the files are not duplicated elsewhere, the only way to retrieve them is with the virtual key. Europol has stated that ransomware was the top cyber threat in 2019, which provides an easy stream of income for cybercriminals. In 2017 a web hosting firm in South Korea payed a one-million-dollar ransom.
The advancements in technology comes with great opportunity but it also comes with risk. It has been predicted that cybercrime will cost the world six trillion dollars annually by 2021. Businesses of all sizes need to seriously consider their cyber vulnerabilities and do all they can to protect themselves, or risk paying a heavy price.
By Samuel Killoran who is a Law Student at Solent University