easyJet issued a notification today (easyJet customer notification, May 19) confirming a breach affecting approximately 9 million customers, with email addresses and travel details taken across the affected population, plus payment-card details (including CVVs) for approximately 2,208 customers. The intrusion occurred in January and February of this year. The disclosure today, more than three months after the discovery in early February, is the question that the Information Commissioner's Office and the regulatory commentary are going to focus on.
The technical content is limited in the disclosure. The intrusion vector is described in the easyJet communication as "a highly sophisticated source"; the company has stated that affected customers were notified directly, and that customers whose payment-card details were involved were notified earlier than the wider population. The investigation is ongoing and the airline has cited the COVID-19 operational environment as a contextual factor in the disclosure timeline. Whether the COVID-19 context is operationally adequate as an explanation for a three-month gap between discovery and disclosure is the question the ICO will need to assess, and the answer is going to set precedent for what counts as legitimate delay against GDPR's 72-hour notification clock.
The disclosure-timing question for the regulatory analysis. GDPR Article 33 requires controllers to notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware". The "without undue delay" wording, on the regulatory commentary that has accumulated through the post-25-May-2018 enforcement period, is read as a substantial constraint that the 72-hour-where-feasible window does not exhaust. The Article 29 Working Party (now European Data Protection Board) guidance on the matter (WP250 / EDPB Guidelines on Personal Data Breach Notification) addresses the operational reality that some incidents require investigation before the notification scope is fully understood, but the guidance is clear that the controller must notify on the basis of the incomplete information available within the 72-hour window and update with subsequent detail rather than withholding notification until investigation completion.
The easyJet disclosure timeline appears to have used the longer-investigation framing as the operational rationale. The ICO investigation will assess whether that framing is consistent with the regulation's requirements. The case will be one of the early test cases for the 72-hour-clock interpretive question, and the eventual decision will affect customer-organisation practice across the UK.
For the customer briefings, the easyJet case has produced two specific conversations. First, the disclosure-timing question is now in regulatory focus, and the customer-organisation breach-notification posture needs to be ready to file initial notifications on incomplete information rather than holding for investigation completion. The customer-organisation playbook updates I have been writing through 2019 reflect this; the easyJet case will reinforce the operational practice. Second, the COVID-19-operational-context question is one that customer organisations would, on intuition, expect to attract regulatory sympathy, and on the early signs from the ICO and other supervisory authorities the regulatory posture is that COVID-19 is not, by itself, an excuse for departing from the regulation's structural requirements. The regulatory expectation is that customer organisations have, by mid-2020, adapted their operational posture to fully-remote operation in a way that allows compliance with the regulation's timelines.
For our SOC, the customer-organisation breach-notification readiness exercises that we run as tabletops have, post-easyJet, been updated to include the 72-hour-clock-with-incomplete-information scenario explicitly. The practical exercise is to produce a draft notification document on the basis of the 72-hour-window evidence, defining the affected population in scope-uncertain terms ("the affected population is currently estimated at approximately X but may be revised in either direction as the investigation continues") and committing to update cycles on a defined cadence. The exercise has produced a more disciplined customer-organisation posture than the previous version did.
I will return to this when the ICO investigation produces public output. The easyJet case is likely to settle the disclosure-timing question definitively for the UK regulatory environment.