Law firm PGMBM, a specialist in group legal action, has issued a class action claim under Article 82 of the General Data Protection Regulation (GDPR) in the High Court on behalf of nine million easyJet customers whose details were exposed in a data breach.
The group action, worth £18bn, could see each affected customer receive a £2,000 pay-out if successful. A team of Queen’s Counsel and junior barristers from Serle Court and 4 New Square chambers have been instructed in the case.
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” said PGMBM managing partner Tom Goodhead.
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around the world.”
The personal data leaked includes names, email addresses, and travel data – such as dates of departure and arrival, reference numbers and booking values. PGMBM said the exposure of personal travel patterns may pose security risks to individuals and was a “gross invasion of privacy”. In addition, more than 2,000 customers had their credit card data exposed.
Since easyJet formally disclosed the breach on 19 May 2020, it has emerged that its systems were breached in January, meaning it has waited four months to inform its customers that they were at increased risk of being targeted by cyber criminals.
The firm is inviting any affected easyJet customers, wherever in the world they may be located, to join the claim on a no-win, no-fee basis.
Despite the airline’s tardiness in informing its customers, it is understood the Information Commissioner’s Office (ICO) was informed of the incident in good time. An ICO spokesperson confirmed a live investigation into the cyber attack is in progress.
“People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary,” they said.
“Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks and scam messages. We have published advice on our website about how to spot potential phishing emails.”
Nevertheless, given the ongoing impact of the Covid-19 coronavirus pandemic, the ICO is taking a somewhat more relaxed approach to regulatory actions than in more normal times as David Halliday, partner in the IT and communications practice at law firm Baker McKenzie, pointed out.
“The ICO has indicated that it intends to take a pragmatic and proportionate approach during the current crisis and has suggested that before issuing fines, it will take into account the economic impact and affordability of the proposed fine, and that in current circumstances this is likely to mean the level of fines reduces,” said Halliday.
“Clearly the airline industry has been particularly seriously affected by the pandemic, so it will be interesting to see what effect, if any, this has on the ICO’s response.
“In other breaches in the same sector, it has ostensibly taken a very robust line, and this incident appears to have its origins before the pandemic – but obviously it is less attractive at present to take heavy enforcement action against such a badly stricken sector.”