César Ferradas

The EasyJet data breach is no surprise

21 May 2020

I just received the email.

I’m one of the 9 million EasyJet customers who’s had their data leaked. I didn’t think this would happen to me.

I’m very aware it could happen to me, mind you. That’s why I practice good online security: I have good password habits, I check websites I sign up to to make sure they’re not dangerous, I give minimal personal information online and I regularly delete old accounts I don’t use anymore. I just never thought it would actually happen to me.

Thinking about it, it’s no surprise.

The reason I care so much about online security is because data breaches happen all, the, time. Just look at the list of breached websites at Have I Been Pwned. These are services we use regularly. Some of them are massive companies which should know better and have the resources to secure their systems. Others did everything possible, but mistakes were made and data got leaked.

So, EasyJet is just one more to add to the list. And even though it bothers me that my data was breached, I know I’ve done all I could to protect my information online. My email and password combination for EasyJet is unique, so it won’t work to log into any other online account I have. Unfortunately, my location, full name and personal email are now available publicly online, and I expect some phishing emails to come my way, but I’m prepared for that.

But EasyJet didn’t do everything they could to protect our information. They limit their passwords to 20 characters, and they disallow some special characters, which reduces the possible password combinations which makes them easier to brute force. This is a small example, but suggests that account security comes as an afterthought, and that they’re not following the latest website security advice. What a shame.

Let’s take this as an opportunity to reflect and be proactive about online security. At a personal level, make sure you use unique, random passwords for all of your accounts, and disclose personal information online only when absolutely necessary. But more importantly, at an institutional level, let’s hold these companies accountable for not implementing state of the art security.

EasyJet isn’t only a low budget airline company. It’s an online company. Once you decide to build a website for your business, that’s what you become. EasyJet is responsible for excelling at both travel and website development. They owe that to their customers. They, and others, have no excuse to use outdated, insecure software and practices.

With great data comes great responsibility.