“Limited resources” scupper ICO probe into EasyJet breach
The decision to drop the probe has been described as “deeply concerning” by security practitioners


The Information Commissioner’s Office (ICO) in the UK has abandoned its probe into the 2020 data breach at budget airline EasyJet due to “limited resources”.
According to the watchdog, the continuation of an investigation into the data breach was not in its interests and failed to represent the best use of its resources.
The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed.
Information including names, email addresses, travel details, and credit card details was accessed in the breach.
Customers were warned at the time they could face heightened security threats, such as phishing, as a result of the breach.
Confirming the decision to drop the investigation, a spokesperson for the watchdog said it still places a strong focus on enforcement of data protection rules and that “all data breaches reported to us are important”.
“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” the spokesperson said.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organizations.
“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”
The ICO said it’s currently in the process of transforming how it prioritizes and delivers activity to ensure “timely and transparent results”.
The move is part of a concerted effort at the watchdog to prepare for the forthcoming Data Protection and Digital Information Bill, the spokesperson added.
ICO decision could create wrong message
The decision to drop the probe has been met with criticism from security industry practitioners amid claims that it could send the wrong message to organizations in the future.
Mike Newman, CEO of My1Login, said the decision is concerning given that British Airways was handed a £20 million fine for a “much smaller data breach”.
“The industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” he said.
“Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud, and identity theft. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and could send out a very wrong message to other organizations.”
RELATED RESOURCE
Get a roadmap to effective governance and increase resilience
DOWNLOAD NOW
Barrier Networks CISO, Jordan Schroeder, echoed Newman’s comments on messaging. However, he insisted the ICO still appears firmly committed to enforcement and ensuring robust data protection standards across the UK.
“This latest update could give off mixed messages and it will undoubtedly receive a lot of scrutiny, but it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated,” he said.
“Organizations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously. These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Developers aren’t quite ready to place their trust in AI
News AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
-
Are chief AI officers here to stay?
In-depth Mainstay of the boardroom or short-term project leader, CAIOs are the subject of intense consideration
-
23andMe 'failed to take basic steps' to safeguard customer data
News The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
Cyber attacks have rocked UK retailers – here's how you can stay safe
News Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloads
News The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuse
News The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victims
News Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlash
News UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime Agency
News The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failures
News The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies