The Information Commissioner’s Office (ICO) in the UK has abandoned its probe into the 2020 data breach at budget airline EasyJet due to “limited resources”.
According to the watchdog, the continuation of an investigation into the data breach was not in its interests and failed to represent the best use of its resources.
The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed.
Information including names, email addresses, travel details, and credit card details was accessed in the breach.
Customers were warned at the time they could face heightened security threats, such as phishing, as a result of the breach.
Confirming the decision to drop the investigation, a spokesperson for the watchdog said it still places a strong focus on enforcement of data protection rules and that “all data breaches reported to us are important”.
“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” the spokesperson said.
“It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organizations.
“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”
The ICO said it’s currently in the process of transforming how it prioritizes and delivers activity to ensure “timely and transparent results”.
The move is part of a concerted effort at the watchdog to prepare for the forthcoming Data Protection and Digital Information Bill, the spokesperson added.
ICO decision could create wrong message
The decision to drop the probe has been met with criticism from security industry practitioners amid claims that it could send the wrong message to organizations in the future.
Mike Newman, CEO of My1Login, said the decision is concerning given that British Airways was handed a £20 million fine for a “much smaller data breach”.
“The industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” he said.
“Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud, and identity theft. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and could send out a very wrong message to other organizations.”
RELATED RESOURCE
Get a roadmap to effective governance and increase resilience
DOWNLOAD NOW
Barrier Networks CISO, Jordan Schroeder, echoed Newman’s comments on messaging. However, he insisted the ICO still appears firmly committed to enforcement and ensuring robust data protection standards across the UK.
“This latest update could give off mixed messages and it will undoubtedly receive a lot of scrutiny, but it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated,” he said.
“Organizations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously. These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
