Law firm PGMBM has launched a class action lawsuit in the High Court against airline EasyJet over a massive data breach that occurred in January.
The claim asks for £2,000 in compensation for each of the nine million affected customers, making for a potential total bill of £18bn.
While the company reported the breach to the UK Information Commissioner’s Office (ICO) in January, it did not inform the affected customers until May. In addition to customers’ travel details, such as booking dates and arrival and departure dates, the email addresses and full names of the customers were also compromised in the breach.
PGMBM alleges that in addition to being a gross invasion of privacy, revealing details about people’s travel plans could increase security risks. For example, tech-savvy criminals could analyse the data to identify empty properties as burglary targets, or targets for identity theft while they are out of the country. The credit card details of 2,208 customers were also compromised, although this relatively low number suggests that the airline’s security mechanisms did work to an extent. The law firm also pointed out that the General Data Protection Regulation (GDPR), under Article 82, gives the right for customers to claim compensation for any annoyance, inconvenience, loss of control, and distress resulting from their personal data being compromised.
PGMBM says it initiated the action after being approached by a number of affected customers following EasyJet’s announcement of the breach. It says it has instructed a team of barristers from the 4 New Square and Serle Court chambers. Other affected customers can join the claim on a no-win, no-fee basis, although the law firm says it may retain up to 30% of any damages.
A managing partner at PGMBM, Tom Goodhead, said about the claim:
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers. This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, EasyJet has leaked sensitive personal information of nine million customers from all around of the world.”
The ICO will likely also impose a hefty penalty for the breach given its scale, but it has no authority to award compensation to the victims of a breach, meaning they have to explore alternative means of seeking compensation, such as legal action.
While the potential high cost of regulatory fines for breaching the GDPR is already well known, the case highlights how organisations may also be exposing themselves to legal action from customers as well. At Pro-Networks, we believe in achieving GDPR compliance through sound cybersecurity and a culture of best practices. This is not just to avoid regulatory fines, though, because an organisation benefits from compliance in itself, such as by not having to deal with breaches and the reputational damage that can ensue if customers and partners lose faith in your ability to safeguard their da