Lessons from the Eurostar hack

Last month, cross-Channel rail service Eurostar discovered that it had suffered a hacking attempt between 15 and 19 October 2018. However, unlike other players in the travel industry that recently suffered breaches, such as BA and Cathay Pacific, Eurostar has emerged relatively unscathed.

Once Eurostar realised it had suffered a data breach, it:

  • Identified the timing and the scale of the breach;
  • Blocked access;
  • Emailed customers alerting them to the situation and advising them to reset passwords; and
  • Reported the breach to the ICO (Information Commissioner’s Office) as required by the GDPR (General Data Protection Regulation).

A Eurostar spokesperson said:

[W]e identified what we believe to be an unauthorised automated attempt to access customer accounts, so as a precaution, we asked all account holders to reset their password. We deliberately never store any payment details or bank card information, so there is no possibility of those being compromised.

What did Eurostar do differently?

Eurostar actively ensures that its customers’ financial details are never stored – meaning no one can ever access them. Perhaps it is this, combined with the organisation’s calm and efficient response, that has avoided consumer panic and the negative publicity often associated with data breaches.

The findings of the ICO’s investigation will be known in due course, but considering Eurostar’s response to the attack, it’s possible the organisation will escape a fine.

Assess your breach readiness

Would your organisation be able to identify and contain a breach effectively? Find out now. Assess yourself now with our short survey to discover where improvements can be made.