“Limited resources” scupper ICO probe into EasyJet breach

EasyJet aircraft cross each other while one of them taxies for take off at Orly International Airport on September 10, 2023 in Paris, France
(Image credit: Getty Images)

The Information Commissioner’s Office (ICO) in the UK has abandoned its probe into the 2020 data breach at budget airline EasyJet due to “limited resources”. 

According to the watchdog, the continuation of an investigation into the data breach was not in its interests and failed to represent the best use of its resources. 

The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed. 

Information including names, email addresses, travel details, and credit card details was accessed in the breach.

Customers were warned at the time they could face heightened security threats, such as phishing, as a result of the breach. 

Confirming the decision to drop the investigation, a spokesperson for the watchdog said it still places a strong focus on enforcement of data protection rules and that “all data breaches reported to us are important”. 

“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” the spokesperson said. 

“It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organizations. 

“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”

The ICO said it’s currently in the process of transforming how it prioritizes and delivers activity to ensure “timely and transparent results”. 

The move is part of a concerted effort at the watchdog to prepare for the forthcoming Data Protection and Digital Information Bill, the spokesperson added. 

ICO decision could create wrong message

The decision to drop the probe has been met with criticism from security industry practitioners amid claims that it could send the wrong message to organizations in the future. 

Mike Newman, CEO of My1Login, said the decision is concerning given that British Airways was handed a £20 million fine for a “much smaller data breach”. 

“The industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” he said. 

“Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud, and identity theft. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and could send out a very wrong message to other organizations.”


Whitepaper cover: Advancing your risk management maturity, with image of colleagues chatting in an office

(Image credit: ServiceNow)

Get a roadmap to effective governance and increase resilience


Barrier Networks CISO, Jordan Schroeder, echoed Newman’s comments on messaging. However, he insisted the ICO still appears firmly committed to enforcement and ensuring robust data protection standards across the UK. 

“This latest update could give off mixed messages and it will undoubtedly receive a lot of scrutiny, but it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated,” he said. 

“Organizations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously. These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.