A law firm has issued a class action claim in the High Court of London against EasyJet over a data breach that exposed the details over around nine million customers.
The action has been brought by law firm PGMBM and could see EasyJet customers get up to £2,000 each if the claim is successful. With nine million customers’ data known to have been leaked, easyJet’s potential liability is £18 billion.
EasyJet announced in the middle of May that personal data of nine million customers from around the world had been exposed in a data breach. The breach itself occurred in January 2020 but despite notifying the UK’s Information Commissioner’s Office at that time, EasyJet waited four months to notify its customers.
Details from the breach included full names, email addresses and travel data that included departure dates, arrival dates and booking dates. PGMBM said that the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy. It added that under Article 82 of the EU General Data Protection Regulation (EU-GDPR), customers have a right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.
The law firm has now made the claim on behalf of impacted customers. It said that this was done after being contacted by numerous affected people when the data breach was made public.
PGMBM has instructed a team of Queen’s Counsel and Junior Barristers from Serle Court and 4 New Square Chambers.
Tom Goodhead, PGMBM managing partner, said that the breach was a “terrible failure of responsibility that has a serious impact on easyJet’s customers.”
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world,” he added.
Paul Cahill, data breach solicitor at Fletchers Data Claims said that the Information Commissioner’s Office (ICO) has the power to impose a large fine for a breach of this type.
“However, the ICO cannot award compensation to victims of a data breach – which means that people who are affected must find alternative ways to seek compensation,” he said.
“The EasyJet breach means that more than 2,000 customers are now unsure who has their credit card details and what action might be taken with that information.”
Partner and head of Mishon de Reya Cyber Joe Hancock, said that he suspects the fact that limited credit card details were taken indicates that EasyJet's security systems were effective.
“This may indicate that the attackers were also limited by what they could collect as the number of booking have plummeted in light of the Covid-19 pandemic,” he said.
Affected EasyJet customers can join the claim at www.theeasyjetclaim.com on a no-win, no-fee basis. PGMBM said that if it is successful in recovering compensation for claimants, they will 'only' charge a maximum of 30 percent of damages.