EasyJet has been slapped with a class-action lawsuit with a potential liability of £18 billion for suffering a massive data breach earlier this year and failing to notify affected flyers for as long as four months.
The class-action lawsuit has been filed by leading class action law firm PGMBM on behalf of 9 million affected EasyJet customers whose personal data was accessed by unauthorised parties. The lawsuit has been filed under the Data Protection Act 2018 and PGMBM is claiming up to £2,000 per affected customer, taking the total claim to £18 billion.
"EasyJet announced on the 19th May 2020 that sensitive personal data of 9 million travellers had been exposed in a data breach. Despite notifying the UK’s Information Commissioner’s Office of the breach in January 2020, EasyJet waited four months to notify its customers," the firm said.
"The sensitive personal data leaked includes full names, email addresses and most disturbingly of all, travel data including departure dates, arrival dates and booking dates. In particular, the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy.
"Under Article 82 of the EU General Data Protection Regulation (EU-GDPR) you have a right to compensation for inconvenience, distress, annoyance and loss of control of your data," it added.
EasyJet warned customers about impending phishing attacks
Earlier this month, EasyJet announced that the cyber attack targeting its IT systems compromised personal details of travellers such as email addresses, credit card details, and travel information. In all, hackers accessed personal data of approximately 9 million customers and credit card numbers of 2,208 flyers.
“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications,” said Johan Lundgren, CEO of EasyJet.
The company also revealed that it has succeeded in closing off the unauthorised access and has informed the Information Commissioner's Office as well as the National Cyber Security Centre about the security incident.
“We take issues of security extremely seriously and continue to invest to further enhance our security environment. EasyJet is in the process of contacting the relevant customers directly and affected customers will be notified no later than the 26th of May,” it said.
Class-action lawsuit will likely be settled
PGMBM stated in its website that it will first try to settle the claim with EasyJet by way of a pre-action letter. If that fails, the firm will take the case to a Group Litigation Order (a “GLO”) which is the mechanism by which the courts in England and Wales manage thousands of cases which are all brought together at the same time.
The firm added that if a quick settlement with EasyJet is achieved, affected flyers will be able to receive their compensation within the next six months. However, if EasyJet decides to fight it out in court, it may take two years or so for them to receive their compensation, provided EasyJet loses the case as well. POGMBM is also leading a class action against British Airways on behalf of 380,000 customers whose login details, names, addresses, booking details, and payment card information were stolen by hackers from the airline's website.
In July last year, the Information Commissioner's Office announced its intent to fine British Airways £183.39 million for failing to prevent a cyber incident that took place in September 2018. However, the quantum of fine could change after the airline company makes a representation to the ICO as to the proposed findings and sanction.