British low-cost carrier EasyJet (EZJ) disclosed a customer data breach that the company says impacted 9 million customers. A majority of the data stolen was reportedly email and physical addresses, but a smaller percentage of customers reportedly had credit card details stolen. EZJ first became aware of the breach in January.
This breach happens at a time when the carrier is already under immense financial strain due to the disruption to air travel amid COVID‑19. A customer data breach does not have the same negative financial impact on a company as an operational disruption like a ransomware attack, but the reputational and legal costs will not be insignificant for an organization already under financial pressure. EZJ is reportedly now under investigation by British authorities for violating the UK Data Protection Act and will likely contend with a potentially more costly GDPR fine as well.
More importantly, this breach could be evidence of larger structural weaknesses in the company’s cyber posture—a greater threat to EZJ’s future prospects. The airline was a relatively early digital adopter, advertising how digital transformation has improved operational efficiency and customer service. But poor cyber governance, including the poor management of digital technology, places pressure on the operating margins of companies—an area where EZJ already has persistently lagged behind key competitors like Ryanair (RYA). We wrote previously about how RYA’s poor cyber governance, a 1-Star rated company, poses a threat to the company’s industry-leading operating margins.
Since cyber governance impacts shareholder value, EZJ shareholders should focus on whether this breach was on-off incident or an indication of more serious structural cyber weaknesses. An easy way to do this is to know whether the company is outperforming or underperforming on cyber governance.
COVID‑19 is proving to be a great catalyst for separating winners from losers, and with our digital future being brought forward, cyber governance provides a predictive indicator of how well or poorly the company will manage through the crisis overall.