EasyJet Facing GDPR Class Action Lawsuit

In the United Kingdom a legal action has been filed under Article 82 of the General Data Protection Regulation (GDPR) in the High Court on behalf of nine million easyJet customers whose private data was accessible during a breach.

It was revealed on 19 May 2020, that the airline company had fallen victim to cybercriminals and the personal data of around 9m customers worldwide had been unlawfully accessed by third parties in a “highly sophisticated cyber-attack”.

The data that was taken illegally included travel details, departure and arrival dates/times, email addresses and other contact information submitted to easyJet during the booking process.  In addition to this the credit card details of 2,000 customers was also taken. Some customers have made it known that they were in receipt of easyJet-themed phishing messages. However, it remains unclear if the personal data lost in the breach is being used for fraud.

Initial details have indicated that the airline first became aware that their databases had been infiltrated on during January 2020. Following an investigation of the breach easyJet issued alerts to affected customers during April 2020. Following this, on 22 May 2020, UK law firm PGMBM submitted a claim in the London High Court. The law firm also revealed that it would be seeking damages of up to €20bn for clients that were impacted by the easyJet breach. It is expected that a letter of claim will be sent to easyJet during June.

The legal action submitted against EasyJet is a group litigation order, which is different from American class-action lawsuits. British GLOs could be more susceptible to a variety of legal challenges that could result in the lawsuits being slowed, or thrown out. This type of compensation claim is part of a growing trend of class actions that come in the aftermath of cyber-attacks.

Despite the delay in easyJet issuing breach notifications to its customers, it is understood the United Kingdom’s Information Commissioner’s Office (ICO) was made aware of the incident in sufficient time. An ICO spokesperson confirmed a live investigation into the cyber attack is in progress saying: “People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary. Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks and scam messages. We have published advice on our website about how to spot potential phishing emails.”

PGMBM is also undertaking a legal action against British Airways in relation to a breach that resulted in 500,000 customers having the personal data stolen. A fine was sanctioned by ICO to the tune of £183.39 million ($229.2 million at the time) for security flaw that made it possible for hackers to download malware to its digital payments systems. While British Airways has officially appealed the fine, the proposed fine from the ICO indicated how eager the UK regulator is to enforce GDPR.