Breaking news today: 9 million customers are thought to be affected by the significant easyJet data breach, with over 2,000 people’s credit card details stolen.
Personal information and travel data are understood to have been exposed in a “highly sophisticated” cyberattack, and victims may be at an immediate risk of fraud and scams. As experts in the niche and complex area of law of data protection negligence, we know the true extent of how dangerous information can be in the hands of criminals.
The airline could face a significant number of compensation claims, and we’re investigating the issues now. We have been contacted for media comment and have issued advice to the press in relation to fines and legal actions.
About the easyJet data breach
The easyJet data breach is monumental and may well take the lead for the biggest breach of 2020 with a staggering 9 million customers affected.
It’s understood that personal information has been accessed which may include contact information and travel arrangement data. In addition, the credit card details for 2,208 customers has also been accessed, which puts those victims at an immediate risk off fraud and theft.
This is the latest in a long line of travel and tourism industry data breaches. The matter has been reported to the Information Commissioner’s Office (ICO) and customers are to be notified if they’ve been affected.
Risks for victims
Victims of the easyJet data breach could be at an immediate risk of fraud and scams. Given the scale of this cyberattack and the number of people affected, people need to be incredibly careful about unsolicited contact.
People are being warned to be wary of scams like phishing emails, where criminals could use exposed data to pose as easyJet and lead people to dangerous websites. As we have seen with other big data breaches in the past, victims could also be at risk of being duped into handing over money or access to accounts to fraudsters posing as the airline itself.
Personal data alone can be more than enough for criminals to abuse, and those whose credit card data has been exposed need to be vigilant. easyJet must make every effort to issue breach notifications to them without delay in efforts to mitigate the severe risks this breach poses.
What happens next?
As a leading firm of consumer action and data breach compensation specialists involved in over 40 different data group actions, we’re used to seeing the aftermath of a cyberattack like this. At the very least, given the scale of the easyJet data breach, it seems likely that the ICO will issue a fine.
The GDPR can allow fines to be as much as 4% of the company’s global annual turnover for the preceding year, which can mean fines in the millions. Based on figures we have obtained that suggest their turnover could be based on £6.4bn, a fine could be as much as £256m.
This would overtake the current record intention to fine British Airways at £183m.
Taking the British Airways example further – the first GDPR Group Litigation Order action in England and Wales that we’re on the Steering Committee for – there is also the cost of legal action to consider. Total compensation amounts in the BA action have been estimated to reach as much as £3bn, and easyJet may also face a significant compensation action as well.