[snowwolf]

> EasyJet said it first became aware of the attack in January.

vs

> The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.

So either EasyJet was delayed in their reporting of the breach, or the ICO didn't feel it was urgent to notify 9 million people that their data had been compromised. But it is now 4 months later?

[trickstra]

Their official statement says

> we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. We also notified the National Cyber Security Centre and the ICO. We have closed off this unauthorised access.

Maybe the relevant supervising authority didn't find it important to notify those 9 million customers.

[snowwolf]

> Maybe the relevant supervising authority didn't find it important to notify those 9 million customers.

Which is a problem right? Now it emerges what has been breached. Including credit card data. Surely the prudent thing would have been to warn all their customers immediately to allow them to be on the lookout for malicious use of their data (phishing, etc.) and not wait until they have concluded their investigation.

[bigbizisverywyz]

Oh great, that probably explains the last few emails I got recently kindly telling me what my password is, and I should pay some bitcoin otherwise my weird browsing habits will be exposed to the world.

(edit)Ah no, no mention of passwords being stolen, so I guess it's from somewhere else.

[Nextgrid]

From my experience reporting various GDPR violations is it clear that the ICO does not actually want to enforce the regulation so this is not surprising.