Milestone 3

DATA BREACHES 5

EASY JET CYBER ATTACK

Poorna Sai Raj Goud Parkala

University of the Cumberlands

ITS-834 Emerging Threats & Countermeasures

Prof. Dr. Derek Holbert

DATA BREACHES 1

Administrative security control

The Easy Jet cyber-attack occurred, resulting in exposure of email addresses, travel data for more than 9 million people, and Credit cards of 2,208 clients (Oakley, 2019). The company had to contact the customers whose information had been accessed during the breach. The action taken immediately was notifying the National Cybersecurity Center and the ICO being the UK's information watchdog (Oakley, 2019). The reason behind reporting was to ensure that the department investigates the breach that exposes customer's information to unauthorized people (Oakley, 2019).

According to the company digital privacy expert, the attackers take advantage of the pandemic period, where many customers are canceling their flight (Oakley, 2019). The company is, therefore, advising their clients to take a warning when opening emails from the company as some might be from the hackers to misguide them to a fake website to steal their data (Oakley, 2019). A call center and a cyber-security department have been established to address any arising concerns from the breach.

Technical security control

The criminals were reported to have sent emails with fake website links stealing the victim's data and using it to open accounts and taking loans with the victim's details (Boyer & McQueen, 2007). This technical problem is a result of adequate security control to ensure passenger's data integrity within the IT systems. According to reports, EasyJet systems were penetrated via internet servers, where the attackers installed a data harvesting malware (Boyer & McQueen, 2007). The backup files were also observed as having weak and other no password protection. Other technical problems included the presence of inadequate and outdated anti-virus software (Boyer & McQueen, 2007). The company should set a standard password policy to establish a strong password on the systems to ensure data integrity and confidentiality (Boyer & McQueen, 2007).

Physical security control

They may include deterrent, detective, and preventive measures. Deterrent measures a meant to discourage the hackers while the detective measures provide alert messages to the customers in case of any intrusion (Wong & Vaughan, 2020). The prevention measures help to curb any intrusion which might take place in the company (Wong & Vaughan, 2020). According to the company website, the physical control measures established by the company include a security team that works to prevent security threats on personal data (Wong & Vaughan, 2020). As a way of providing detective measures, the company encourages the employee and customers to raise concerns regarding safety and ethical issues through a whistleblowing process called Speak Out service (Wong & Vaughan, 2020).

Conclusion

The data breach at Easy Jet Company was as a result of failed technical control measures. Therefore, the company should ensure authentication and identification measures such as passwords, tokens, and biometrics. The technical support team should ensure strong passwords and descriptions on how to enforce changes to the password. It should also describe the self-protection of the customers in case of any security breach. The team should develop how biometric and token controls will be implemented and used within the company systems (Boyer & McQueen, 2007). Airline companies have been reported to have a patchy record of dealing with data security; therefore, it's advisable to establish a cyber-security department to deal with technical data breach issues.

References

Boyer, W. & McQueen, M. (2007). Ideal based cybersecurity technical metrics for control systems. International Critical Information Infrastructures Security (pp. 246- 260). Springer,Berlin.

Oakley, J. G. (2019). Cyber-Attack. In Waging Cyber War. Berkeley, CA. (pp. 41-55).

Wong, S., & Vaughan, A. (2020). Cyber-physical security via geometric control: Distributed monitoring and malicious attacks. IEEE 51st conference on decision and control. (pp. 3418- 3425)