A class action lawsuit was filed against EasyJet. The suit is in response to the data breach that occurred at EasyJet.
Earlier this month, we reported on the EasyJet data breach. The breach saw 9 million customers compromised. At the time, the UK airliner immediately notified the Information Commission Office (ICO) upon learning about the breach and is investigating.
Unfortunately for the UK airline, however, is the fact that the company now faces a class action lawsuit. According to ZDNet, the lawsuit is seeking £18 billion, or up to £2,000 for each impacted customer. From the report:
However, easyJet has a more immediate legal concern due to law firm PGMBM, which has issued a class-action claim with a potential liability of £18 billion, or up to £2,000 per impacted customer.
The lawsuit has been filed in the High Court of London on behalf of customers. According to the firm, easyJet’s data breach took place in January 2020, and while the ICO was apparently notified at this time, customers were not informed until four months later.
“The sensitive personal data leaked includes full names, email addresses, and travel data that included departure dates, arrival dates, and booking dates,” PGMBM says. “In particular, the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy.”
The class-action lawsuit leans on GDPR legislation which gives consumers the right to claim compensation when their information is compromised in security incidents.
Tom Goodhead, PGMBM Managing Partner said the “monumental” data breach is a “terrible failure of responsibility that has a serious impact on easyJet’s customers.”
EasyJet told ZDNet that the company “will not be commenting on this matter.”
In the months leading up to and since the passage of the General Data Protection Regulation (GDPR) nearly two years ago, one observation we made is the fact that fines against companies that suffer from leaks or breaches will likely remain low for a while. This is because it takes time for authorities to assess such incidences before handing out fines. So, articles about fines against companies that followed the regulation passage revolved around incidences that took place before the law took effect. As a result, the fines would be under the old laws.
An example of this is Cathay Pacific which was fined £500,000 for a data breach that occurred back in 2018. At the time, some would have looked at the fine and commented just how low that number is. Well, under relevant laws before GDPR, this was actually the maximum fine that the ICO could levy against the company.
So, contrast the fine of £500,000 to the lawsuit seeking £18 billion and the difference is pretty much night and day. The potential for a company to feel the sting of non-compliance is much more likely. Indeed, with the higher fines, the hope is that more companies will treat personal information much more seriously and be more motivated to better protect that information.
It’ll be interesting to see how this carries out in court. There are already other cases against companies that are testing the GDPR, but assuming the cases will result in decisions that hold up the law, it’ll become much tougher for companies to try and resist these large fines. So, perhaps another court case to keep an eye on.
Drew Wilson on Twitter: @icecube85 and Facebook.