A legal action has been filed in the United Kingdom High Court under Article 82 of the General Data Protection Regulation (GDPR) on behalf of nine million EasyJet customers whose private data was accessible during a data privacy breach earlier this year.
It was made public on 19 May 2020, that the airline company had been targeted successfully by cybercriminals and the personal data of approximately 9M customers globally had been unlawfully captured by third parties in a “highly sophisticated cyber-attack”.
The data that was stolen included travel details, departure and arrival dates/times, email addresses and other contact information that had been gathered by EasyJet during the booking process. The credit card details of 2,000 customers were also stolen. It remains unknown if the personal data taken in the breach is being used to commit fraud.
Early indicators are that the airline first became aware that their databases had been attacked during January 2020. After completing a review of the breach EasyJet issued alerts to affected customers during April 2020. After this, on 22 May 2020, UK law firm PGMBM filed a claim in the London High Court. The law firm also made it public that it would be seeking compensation of up to €20bn for clients that were affected by the EasyJet breach. A letter of claim is due to be sent to EasyJet at some point this month.
Despite the delay in EasyJet broadcasting breach notifications to its customers, it is thought that the United Kingdom’s Information Commissioner’s Office (ICO) was made aware of the incident in the legally required amount of time.
An ICO representative said that a live investigation into the hacking attack is underway: “People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary. Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks and scam messages. We have published advice on our website about how to spot potential phishing emails.”
PGMBM is also submitting a legal action against British Airways in relation to a breach that led to 500,000 customers having the personal data illegally taken. A fine was applied by ICO to the tune of £183.39 million ($229.2 million at the time) for security vulnerability that made it possible for hackers to install malware on the group’s its digital payments database. While British Airways has officially appealed the fine, the proposed fine from the ICO indicated how willing the UK regulator is to sanction large GDPR fines.