This image by Joschi71 is licensed CC BY-SA 4.0

I hate people who “armchair quarterback.” I also think there’s an unfortunate tendency for people to “pile on” when a company is breached and generally wax pedantic about the one critical thing that would have caused it not to happen in the first place, what they would have done differently or why the whole thing is the company’s own damn fault in the first place.

I hate that and I’m pretty sure you do too. That said, every once in a while, there are things that happen that I think deserve to be called out. Either because they are exceptionally egregious (or at least head-scratching) or because it smacks of something unethical. I encountered one of those today.

In this case, I’m a bit stymied by where we are with the EasyJet breach. If you haven’t been following along, the backstory is that EasyJet announced yesterday that they exposed PII (email address and travel plans) for about 9 million people and they had divulged credit card details of about 2000 more (2208 to be exact.)

Sure, fine, whatever. Join the club, right?

But then today, the news comes out that they knew about the attack in January. Meaning, they knew about the attack for the last five months and they are striving to make everyone whose data was impacted aware of the attack by the end of May (May 28th in fact.)

Is it me or does anybody else find this disconcerting? Like, I’m a security guy, right? And if I knew that my travel plans, email, and financial details were leaked, I’d probably be like extra vigilant for a little bit. Maybe I’d pay extra careful attention to my credit card statement for the card I used to make the EasyJet purchase… maybe I’d be extra careful about doing a double-check on emails about my travel itinerary from EasyJet. But the victims of this apparently had no such opportunity. If, in fact, EasyJet knew about the attack in January (which it looks like they did), and sufficient details were disclosed/lost to put those impacted at greater risk to attacks like spear-phishing (which there were because of the leaked email and travel plans), and impacted persons were likely to be at more risk to financial fraud (which they were by virtue of the credit card data), why then are we hearing this now… almost 6 months (or 5 months depending on when in January it happened) after the fact.

They said in a statement, “We’re sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously”. Do they? Because I read that and my gut reaction is to question why they didn’t help people protect themselves for 6 months. If you’re not going to protect my info, at least help me protect and monitor it myself… or at a bare minimum, don’t make it harder.

Now, of course, you’d be right in saying that there are potential reasons for them to wait that are perfectly justified. One very possible explanation is that the ICO (like UK’s data protection authority) – or law enforcement – instructed them not to release the details because it would interfere with an investigation. In their statement, the EasyJet people say:

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications… “

EasyJet Chief Executive Johan Lundgren

So it’s possible that the ICO told them not to release the details because they’re trying to operate without the perpetrator knowing that they are under the microscope. Could be. But in that case I really hope that the investigation came up aces, because those whose info was leaked (9 million people) have been holding the bag for the last six months, been at increased risk: unbeknownst to them and across at least two different axes (financial fraud and spear-phishing).

I guess my point here is that at the very least, regulators and companies that really are “very sorry that this happened” will enable victims to protect themselves as quickly as possible. If it’s EasyJet that dragged the feet, shame on them because they made an already terrible situation worse. If it’s ICO that held it up (which I very much doubt FWIW), then they might want to investigate the unintended consequences of the extra 5 months or so – namely the increased risks consumers were exposed to in the interim.