The group action, worth £18bn, could see each affected customer receive a £2,000 pay-out if successful. A team of Queen’s Counsel and junior barristers from Serle Court and 4 New Square chambers have been instructed in the case.
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” said PGMBM managing partner Tom Goodhead.
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around the world.”
The personal data leaked includes names, email addresses, and travel data – such as dates of departure and arrival, reference numbers and booking values. PGMBM said the exposure of personal travel patterns may pose security risks to individuals and was a “gross invasion of privacy”. In addition, more than 2,000 customers had their credit card data exposed.
Since easyJet formally disclosed the breach on 19 May 2020, it has emerged that its systems were breached in January, meaning it has waited four months to inform its customers that they were at increased risk of being targeted by cyber criminals.
The firm is inviting any affected easyJet customers, wherever in the world they may be located, to join the claim on a no-win, no-fee basis.
Despite the airline’s tardiness in informing its customers, it is understood the Information Commissioner’s Office (ICO) was informed of the incident in good time. An ICO spokesperson confirmed a live investigation into the cyber attack is in progress.
“People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary,” they said.
“Anyone affected by data breaches needs to be particularly vigilant to possible phishing attacks and scam messages. We have published advice on our website about how to spot potential phishing emails.”