On 19th May 2020 EasyJet disclosed that they had been the victim of a significant cyberattack which may have exposed the personal data of over 9 million customers. This data reportedly contained over 2,200 credit card records, as well as name and email addresses.

EasyJet Data breach

This breach actually occurred in January 2020. It was not until April 2020 that the first tranche of individuals were notified – those who had their credit card details exposed. Only now has EasyJet revealed the true extent of the breach, meaning that millions of individuals are at risk of further cyberattacks, such as phishing emails or identity theft.

EasyJet has been working closely with the Information Commissioner’s Office (ICO) during this time and reportedly did inform the governing body within the relevant legal time (72 hours), despite not informing the affected individuals for up to 4 months.

Compensation for the breach

A group action claim has now been brought before the UK High Court on behalf of the 9 million customers who have been affected by the breach. If successful, this could see each individual receive a pay-out in the region of £2,000 – potentially meaning EasyJet will have to pay out £18 billion in compensation for the breach.

This pay-out is separate to any fines which may be imposed at the discretion of the ICO. In accordance with the GDPR and Data Protection Act 2018, the ICO has the power to enforce fines of either 20 million or 4% of annual worldwide turnover. On the basis of EasyJet’s 2019 turnover, that could be in excess of £255 million.

Similar cyber attacks

By comparison, in 2018 British Airways suffered a similar cyber attack which compromised the data of 500,000 individuals. The ICO issued a notice of intent to British Airways in 2019 to fine them £183.4 million as a result of that breach. Given the difference in scale between that breach and the one suffered by EasyJet, it seems likely that EasyJet will face a significant fine, particularly due to their inactivity and lack of communication directly following the breach. 

It is vital whenever a data breach occurs, whether big of small, that the appropriate action is taken promptly, in order to try and avoid any significant reprimands from the ICO.