On 19th May, 2020, Easyjet, a budget airline based in UK, published a statement announcing that it had “been the target of an attack from a highly sophisticated source” and had suffered a data breach as a result. The airline company admitted that the data breach affects approximately 9 million customers. Investigation revealed that details about name, email and travel have been leaked. The airline also said credit card details of around 2,200 customers have been leaked in the attack. As confirmed to the BBC by Easyjet, the stolen credit card data includes the three digital CVV number security code.
EasyJet’s handling of the breach
The airline claims that it became aware of the data breach in January 2020 and notified both the UK’s data protection supervisory authority, the Information Commissioner’s Office (“ICO”), and the UK’s National Cyber Security Centre at that time. easyJet has said that it has contacted all impacted customers by now, albeit it appears from the official statements that easyJet took 3 months to contact the first batch of customers whose credit card details were compromised and only informed the remainder of the 9 million individuals subsequently. It will be down to the ICO to determine whether EasyJet satisfied the GDPR Article 34 requirements of notifying affected individuals “without undue delay” wherever there was a high risk to their rights.
The firm has confirmed that additional security measures have been put in place to protect customers’ information. The airline has advised all its customers to be extra vigilant, particularly from unsolicited communications and potential phishing. Customers have been cautioned against receiving any communication claiming to be from easyJet or easyJet Holiday.
Fines and legal actions to cost the company millions?
Depending on the ICO’s determination of easyJet’s compliance with GDPR, in particular whether there was a breach of the “integrity and confidentiality” principle, the airline is at a risk of facing a direct fine from the ICO of the greater of €20m or 4% of global turnover. In addition, a law firm in the UK is looking to make a class action claim against easyJet for up to £18 billion in damages to the affected individuals. The law firm believes that each individual can claim damages of around €2,000 each as a result of the personal data leaked. While the strength of the claim remains to be seen, it is a reminder the GDPR allows aggrieved parties to seek damages via class actions and that this poses significant financial risk to companies in addition apart from the fine which might be levied by the supervisory authorities.
Other high profile airline incidents
EasyJet are not the first airline company to have a high profile data breach. In 2019, a breach occurred where personal data of British Airways’ approximately 50,000 customers were diverted to a fraudulent site by hackers. The ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of GDPR.
Visit our blog for more news on the latest data protection developments.