The Information Commissioner’s Office (ICO) in the UK has abandoned its probe into the 2020 data breach at budget airline EasyJet due to “limited resources”.
According to the watchdog, the continuation of an investigation into the data breach was not in its interests and failed to represent the best use of its resources.
The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed.
Information including names, email addresses, travel details, and credit card details was accessed in the breach.
Customers were warned at the time they could face heightened security threats, such as phishing, as a result of the breach.
Confirming the decision to drop the investigation, a spokesperson for the watchdog said it still places a strong focus on enforcement of data protection rules and that “all data breaches reported to us are important”.
“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” the spokesperson said.
“It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organizations.
“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”
The ICO said it’s currently in the process of transforming how it prioritizes and delivers activity to ensure “timely and transparent results”.
The move is part of a concerted effort at the watchdog to prepare for the forthcoming Data Protection and Digital Information Bill, the spokesperson added.
ICO decision could create wrong message
The decision to drop the probe has been met with criticism from security industry practitioners amid claims that it could send the wrong message to organizations in the future.
Mike Newman, CEO of My1Login, said the decision is concerning given that British Airways was handed a £20 million fine for a “much smaller data breach”.
“The industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” he said.
“Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud, and identity theft. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and could send out a very wrong message to other organizations.”
Get a roadmap to effective governance and increase resilience
DOWNLOAD NOW
Barrier Networks CISO, Jordan Schroeder, echoed Newman’s comments on messaging. However, he insisted the ICO still appears firmly committed to enforcement and ensuring robust data protection standards across the UK.
“This latest update could give off mixed messages and it will undoubtedly receive a lot of scrutiny, but it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated,” he said.
“Organizations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously. These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”
