EasyJet faces class-action lawsuit over data breach

EasyJet is facing an £18 billion class-action lawsuit over the recent large-scale data breach that exposed the personal details of nine million of its customers.

Law firm PGMBM said it has issued a class-action claim in the High Court of London with a potential liability of £18 billion. If successful, each customer impacted by the breach could receive a payout of £2,000.

This move follows the airline’s recent announcement that it had been the subject of a “highly sophisticated cyber attack” in which the email addresses and travel details of around nine million customers were accessed, as well as the credit card details of 2,208 customers.

PGMBM, which specialises in group class-action, said that although the airline had announced the breach on May 19, it actually occurred four months earlier in January. This meant that the company delayed telling those affected that they could be at risk for four months, potentially leaving them open to attack.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet's customers," said PGMBM managing partner Tom Goodhead.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, EasyJet has leaked sensitive personal information of nine million customers from all around the world.”

The law firm said it was taking the action under Article 82 of Europe's General Data Protection Regulation (GDPR), which gives customers the right to compensation for inconvenience, distress, annoyance, and loss of control of their personal data.

EasyJet has yet to comment on the filing of the lawsuit, but last week apologised to those customers affected.

RELATED RESOURCE

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

FREE DOWNLOAD

It remains to be seen whether EasyJet will also face a fine from the Information Commissioner's Office (ICO). The watchdog's guidance states that failing to notify a breach when required to do so can result in a significant fine up to €10 million euros or two per cent of a company's global turnover.

A spokesperson for the watchdog confirmed that an investigation into the breach is ongoing, saying: “People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary."

Carly Page

Carly Page is a freelance technology journalist, editor and copywriter specialising in cyber security, B2B, and consumer technology. She has more than a decade of experience in the industry and has written for a range of publications including Forbes, IT Pro, the Metro, TechRadar, TechCrunch, TES, and WIRED, as well as offering copywriting and consultancy services. 

Prior to entering the weird and wonderful world of freelance journalism, Carly served as editor of tech tabloid The INQUIRER from 2012 and 2019. She is also a graduate of the University of Lincoln, where she earned a degree in journalism.

You can check out Carly's ramblings (and her dog) on Twitter, or email her at hello@carlypagewrites.co.uk.