A ferry in the sea, surrounded by smaller boats that are sailing

Brittany Ferries admits security breach

Brittany Ferries has admitted responsibility for a security breach. The ferry operator informed customers that a technical glitch following routine website maintenance left their account details open to anyone who knew their email addresses.

Brittany contacted customers in early November to explain that a “breach to our data that might have an impact on your My Account with Brittany Ferries” had occurred.

Brittany’s data protection officer, Anne Laure Fabre, said: “In spite of our cyber vigilance and rigorous security checks, I’m sorry to confirm your account’s protection settings were unintentionally changed between October 21st and November 2nd of this year.”

In a separate follow-up statement, she said: “We uncovered a fault in the authentication process used for My Account login details that meant any My Account could be accessed without the right password. We have traced this error back to October 21st during a routine website update. As soon as the fault was uncovered, our engineers and security team set to work immediately, diagnosing and resolving the issue on the same day it was discovered.”

A Brittany Ferries spokesperson told enterprise technology news website The Register: “A patch was quickly applied which resolved the issue on the same day. Procedures have now been updated to ensure appropriate password tests are carried out every time a website update takes place.”

What does the Brittany Ferries data breach mean for consumers?

Brittany Ferries’ “technical glitch” meant that anyone with a customer’s email address connected to their Brittany Ferries My Account portal could access that person’s:

  • Name
  • Postal address
  • Telephone number
  • Last six-months bookings
  • Passport number
  • Date of birth
  • Nationality

Given the potential to commit fraud with such details, this was clearly a severe breach.

However, Fabre sought to assure customers, saying experts had told her that the “risk of malicious intervention is exceptionally low and certainly there is no evidence that your data has been compromised. I do need to make you aware that this has happened and apologise accordingly.”

Despite the potential for accounts to be accessed without a password, Fabre also said customers might want to update their password, “just in case.”

Customers disappointed with lack of clarity from Brittany Ferries

Several customers expressed their disappointment with Brittany Ferries, with the most significant bone of contention that the company couldn’t definitively say whether data had been accessed by threat actors.

The same company spokesperson told The Register that no customers had complained of having their data accessed. Up to 25,000 customers may have been affected. Of course, the issue with data breaches is that people may not realise their data has been acquired until they discover identity theft or other fraud attempts.

In further seeking to reassure customers, the spokesperson told The Register: “Although I have to reiterate, the reason for notification is prudence and good practice. We think the likelihood of malicious attack is virtually nil bearing in mind 1) we uncovered the issue 2) there is no indication that any kind of malicious external activity took place 3) we resolved the issue quickly – and of course notified the authorities. We have advised all customers in a communication to change their password accordingly.”

At the time of writing, it wasn’t clear whether the breach had been referred to the Information Commissioner’s Office (ICO), but it hadn’t been reported in the days following Brittany Ferries sending out notifications to its customers.

The ICO said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.”

Are you an affected Brittany Ferries customer? Contact LawPlus now

If you’ve been affected by the Brittany Ferries data breach, you could be entitled to compensation.

Contact LawPlus now for a free, no-obligation assessment of your potential Brittany Ferries data breach claim.

Get in Touch

Fill in the form below to tell us your details, and we’ll get started.