Airline EasyJet could face up to £18 billion (AUD $33 billion) in compensation payments to passengers that had their information leaked by a third-party in a wide-sprawling data breach.
PGMBM, an international law firm has said that “numerous affected people” have been in touch with the firm and it is now looking for more people impacted by the breach to come forward and take part in a class-action lawsuit which was filed in the High Court of London earlier this week.
The law firm has told those looking to take part in the lawsuit that they are looking for a payment of around £2,000 (AUD $3700) per passenger that was implicated.
PGMBM stressed that Article 82 of the European Union’s GDPR legislation gives customers the ability to claim compensation in the event of an inconvenience, annoyance, distress or loss of control of their personal data, and has declared that it has a steady case to present to easyJet on the behalf of customers that had their information accessed.
We reported a week ago that easyJet had been hit by a “highly sophisticated cyber-attack” that accessed the personal information of nine million customers globally, and included credit card details of more than 2,000 passengers.
EasyJet contacted the U.K.’s Information Commissioner’s Office (ICO) in January, but it took the airline several months to announce publicly that its systems had been breached by an unauthorised third party.
Tom Goodhead, PGMBM’s managing partner said that “this is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers.”
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information on nine million customers from all around the world,” he said.
Mr Goodhead added that “the sensitive personal data leaked includes full names, email addresses, and travel data that included departure dates, arrival dates, and booking dates… in particular, the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy.”
To make things worse for the embattled airline, already hit by the COVID-19 pandemic’s decimation of the travel industry globally, is that the lawsuit presented by PGMBM is one of a potential series of lawsuits they’ll have to face if the ICO intends to issue a fine for negligent data protection measures.
For reference, the ICO handed British Airways a notice of intent relating to a £183 million fine (AUD $340 million) for a similar, but much smaller data breach than that of EasyJet.
Under GDPR laws, a company can be fined as much as 4% of its annual turnover for mismanagement of customer data leading to a subsequent breach and violation of customer privacy.
According to The Register “if the firm wins, customers signed up for a slice of the EasyJet compensation pie will fork over ‘a maximum of 30 per cent of damages’, giving the law firm up to £5 billion.”