A no-win, no-fee law firm is planning to sue easyJet on behalf of the nine million customers whose details were stolen when the airline’s computer system was hacked in January.
PGMBM is asking customers who were affected to come forward to claim their share of a potential £18 billion payout, which would equate to £2,000 each – although it would take up to 30% of the total payment in fees.
The international law firm, which is also suing British Airways for a data breach in 2018, says the more customers who join its class action, the more chance it has of succeeding.
It says that under Article 82 of the EU General Data Protection Regulation, customers have a right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.
PGBMB said all affected easyJet customers worldwide can join its claim on a no-win, no-fee basis and it has set up a new webpage where they can sign up to the class action. Managing partner Tom Goodhead added: “This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers.
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world.”
EasyJet told the UK’s National Cyber Security Centre and the Information Commissioners Office in January that the flight details and email addresses of nine million customers’ and the credit card details of more than 2,200 had been stolen, but it didn’t start to tell the customers themselves until April. Some customers only received emails from easyJet this week.
Explaining the delay, easyJet said: “This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.
“In April, we notified a small group of customers whose credit card details had been impacted and offered them support including a dedicated helpline and monitoring.
“Over this time, we have been working closely with the ICO and, following those discussions, we are now notifying other customers impacted by this incident. This is particularly in light of the increased risk of phishing emails since the outbreak of Covid-19.”
EasyJet said there was no evidence that any personal information of any nature, including credit card data, has been misused.
Will any claim succeed?
Data protection rules introduced by the EU do allow consumers to claim compensation if a company has accidentally leaked their data, but for a claim to succeed they need to show that they have suffered some sort of damage, such as they’ve lost money or endured emotional distress or anxiety. The amount of compensation they might be entitled to will depend on the level of loss, the sensitivity of the data stolen, how many people accessed that information, how long it took the company to secure the data and how long it took to inform clients of the breach.