ICO drops its investigation into 2020 EasyJet breach affecting 9m people

01/12/2023 | The Telegraph

The Information Commissioner's Office (ICO) has closed its investigation into the 2020 data breach that affected millions of EasyJet customers. The ICO confirmed its decision on Sunday, citing "limited resources" as the reason it will not be issuing any penalty to EasyJet. The data breach resulted in the theft of personal details and travel itineraries of nine million individuals. Credit card numbers of 2,200 individuals were also stolen. At the time, EasyJet contacted the National Cyber Security Centre (NCS) for assistance responding to the breach. 

In a statement contributing to the article, Conservative MP and Chairman of Parliament's Science, Innovation and Technology Committee, Greg Clark, said that he would write to the ICO to demand an explanation. Due to the vital role the ICO plays in regulating privacy and artificial intelligence (AI), Clark explained his committee is "concerned that if the Government is to rely on existing regulators like the ICO, they must have the right resources to carry out their work and command public confidence."

The ICO's decision has raised serious concerns within the industry that it is softening its regulatory approach. The article includes a comment from data protection specialist Jon Baines, who said: "The ICO seems to have lost its appetite for issuing fines," which have been replaced by reprimands that "amount to little more than a slight rap on the knuckles, but here it sounds like there will be no findings made at all."

We contacted the ICO for a copy of the full statement provided to The Telegraph. We received the following emailed response: 

"All data breaches reported to us are important, given the human impact at the heart of each incident." 

The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward. It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organisations. Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time." 

"We are currently transforming how we prioritise and deliver activity across our wide range of regulatory responsibilities to enable timely and transparent results as we prepare for the forthcoming Data Protection and Digital Information Bill."

£ - The Telegraph article requires a subscription. 

UPDATE: 011223 - A response to a Freedom of Information (FOI) request revealed that Deputy Commissioner Stephen Bonner (SB) took the decision to drop the investigation into the EasyJet data breach. A further question asking for any "recorded information showing why the decision maker decided to drop the case i.e. emails, notes or other internal messages that set out the reason not to take the investigation further" was responded to with a single heavily redacted email revealing SB had signed off the action.  

Read Full Story

What is this page?

You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.

The Privacy Newsfeed monitors over 300 global publications, of which more than 4,350 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.