EasyJet faces £18 billion class-action lawsuit over data breach

charlie-osborne

UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach. 

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyberattack, including over 2,200 credit card records. 

The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers. 

See also:  This is the impact of a data breach on enterprise share prices

The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off."

The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security. 

Last year, British Airways faced a "notice of intent" filed by the ICO to fine the airline  £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.

However, easyJet has a more immediate legal concern due to law firm PGMBM, which has issued a class-action claim with a potential liability of £18 billion, or up to £2,000 per impacted customer.

The lawsuit has been filed in the High Court of London on behalf of customers. According to the firm, easyJet's data breach took place in January 2020, and while the ICO was apparently notified at this time, customers were not informed until four months later.

CNET:  That used or refurbished Android phone might be unsafe: 6 things to know

"The sensitive personal data leaked includes full names, email addresses, and travel data that included departure dates, arrival dates, and booking dates," PGMBM says. "In particular, the exposure of details of individuals' personal travel patterns may pose security risks to individuals and is a gross invasion of privacy."

The class-action lawsuit leans on GDPR legislation which gives consumers the right to claim compensation when their information is compromised in security incidents. 

Tom Goodhead, PGMBM Managing Partner said the "monumental" data breach is a "terrible failure of responsibility that has a serious impact on easyJet's customers." 

EasyJet told ZDNet that the company "will not be commenting on this matter."

TechRepublic:  Akamai CTO on how bots are used online in legal and illegal ways

In related news this month, Verizon's latest Data Breach Investigation Report highlights how a common factor in data breaches, the misconfiguration of cloud-based repositories and buckets, continues to a problem of which the scale is being made more apparent due to increased reporting. 

Furthermore, Verizon says that configuration errors are now a rising trend in data breaches, alongside malware variants including scrapers, the use of stolen credentials, and phishing. 

The biggest Internet of Things, smart home hacks of 2019

 width=

Previous and related coverage

  • EasyJet hack: 9 million customers hit and 2,000 credit cards exposed
  • Verizon's data breach report highlights how unsecured cloud storage opens door to attacks
  • GDPR: 160,000 data breaches reported already, so expect the big fines to follow

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

 width=

Apple secures iMessage against threats from the future

 width=

The best iPad Air cases you can buy: Expert reviewed

 width=

Why were millions of AT&T customers left disconnected? We have an answer

9 million EasyJet customers hit by data breach: What to do now

EasyJet customers at higher risk of phishing attacks

The EasyJet logo on the rudder of a large aircraft.

Cybercriminals stole the personal details of 9 million customers, including 2,200 credit-card numbers, from British budget airline EasyJet, the airline disclosed today (May 19).

"The email address[es] and travel details of approximately 9 million customers were accessed" in "an attack from a highly sophisticated source," EasyJet said in an official statement . "These affected customers will be contacted in the next few days," which the statement clarified would be by May 26.

  • The best identity theft protection services: Keep your private data private
  • What to do if your credit card is stolen
  • Latest: Stimulus check 2020: What you need to know

"For a very small subset of customers (2,208), credit card details were accessed," the statement said. "Action has already been taken to contact all of these customers and they have been offered support."

Details about exactly what kind of credit-card information were compromised — such as 3- or 4-digit security codes — were not immediately available. But no passport numbers were compromised, the EasyJet statement said. 

What kind of risks are EasyJet customers facing?

The affected EasyJet customers are not likely to be at increased risk of identity theft , but are likely to see much more spam and possibly an uptick in phishing attacks as a result of their email addresses becoming public. 

"We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications," the EasyJet statement said. "We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays."

The Register found a couple of tweets dating from April 2 in which people reported receiving emails notifying them of an EasyJet data breach involving credit cards. The BBC reported that EasyJet learned of the breach in January and notified customers whose credit cards were compromised in early April.

If you've got an online account with EasyJet, it couldn't hurt to change the account password despite there being no indication that passwords were compromised. One of the best password managers might help with that.

And if you've been told by EasyJet that your credit card was compromised in this incident, check your recent statements and notify the card issuer immediately if you see anything amiss.

Fines or no fines?

EasyJet may be face huge fines if it is found to have inadequately protected customer personal data, as defined by European General Data Protection Regulation (GDPR). British Airways had to pay a $225 million fine to the U.K. Information Commissioner's Office for a 2018 data breach that affected 500,000 customers. 

However, EasyJet may be let off the hook: Wired UK noticed that the ICO was telling complainants that it would not enforce data-protection regulations during the coronavirus crisis. The airline, which reportedly carried 28 million passengers in 2019, has been effectively grounded since the end of March .

Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!

Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil .

1Password password manager review

LastPass password manager review

'Formula 1: Drive to Survive' returns to Netflix for season 6 and I'm surprisingly hooked

Most Popular

By Ryan Epps February 22, 2024

By Malcolm McMillan February 22, 2024

By Christina Izzo February 22, 2024

By John Velasco February 22, 2024

By Jason England February 22, 2024

By Tony Polanco February 22, 2024

By Brittany Vincent February 22, 2024

By Ryan Morrison February 22, 2024

By Dan Bracaglia February 22, 2024

By Josh Render February 22, 2024

  • 2 My 5 favorite movies leaving Netflix in February 2024 that you need to watch
  • 3 Forget the gym — you just need a pair of dumbbells and 6 exercises to build full-body muscle
  • 4 I swapped my $500 wireless Razer gaming setup for a $100 one from Amazon — and I’m shocked by how good it is
  • 5 What is a Dutch oven — everything you need to know about this kitchen essential
  • Work & Careers
  • Life & Arts

Become an FT subscriber

Limited time offer save up to 40% on standard digital.

  • Global news & analysis
  • Expert opinion
  • Special features
  • FirstFT newsletter
  • Videos & Podcasts
  • Android & iOS app
  • FT Edit app
  • 10 gift articles per month

Explore more offers.

Standard digital.

  • FT Digital Edition

Premium Digital

Print + premium digital.

Then $75 per month. Complete digital access to quality FT journalism on any device. Cancel anytime during your trial.

  • 10 additional gift articles per month
  • Global news & analysis
  • Exclusive FT analysis
  • Videos & Podcasts
  • FT App on Android & iOS
  • Everything in Standard Digital
  • Premium newsletters
  • Weekday Print Edition

Complete digital access to quality FT journalism with expert analysis from industry leaders. Pay a year upfront and save 20%.

  • Everything in Print
  • Everything in Premium Digital

The new FT Digital Edition: today’s FT, cover to cover on any device. This subscription does not include access to ft.com or the FT App.

Terms & Conditions apply

Explore our full range of subscriptions.

Why the ft.

See why over a million readers pay to read the Financial Times.

International Edition

  • International edition
  • Australia edition
  • Europe edition

EasyJet planes parked at Luton airport

EasyJet reveals cyber-attack exposed 9m customers' details

Airline apologises after credit card details of about 2,200 passengers were stolen Q&A: are you affected and what should you do?

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

Of the 9 million people affected, 2,208 had credit card details stolen, easyJet told the stock market. No passport details were uncovered.

Those customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26 May.

EasyJet did not immediately give details of how the breach occurred, but said it had “closed off this unauthorised access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator.

The breach is one of the largest to affect any company in the UK, and raises the possibility of easyJet paying a large fine at a time when the coronavirus pandemic has put it under severe financial pressure.

British Airways was fined £183m in July 2019 after hackers stole the personal information of half a million customers. In the same month, the hotels group Marriott was fined £99.2m for a breach that exposed the data of 339 million customers worldwide.

The ICO recommended easyJet contact everyone affected because of an increased risk of phishing fraud, the airline said.

The ICO’s power to fine companies has increased under the EU’s General Data Protection Regulation.

EasyJet said “there is no evidence that any personal information of any nature has been misused”.

The easyJet chief executive, Johan Lundgren, said: “We would like to apologise to those customers who have been affected by this incident. Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams.

“As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

  • Airline industry
  • Data and computer security
  • Consumer affairs

Most viewed

EasyJet: Nine million customers' details 'accessed' by hackers

Britain's data watchdog is investigating after the breach which saw 2,200 customers' credit card details accessed by hackers.

easy jet data breach

Business reporter @SkyNewsBiz

Tuesday 19 May 2020 16:09, UK

easy jet data breach

Easyjet has revealed that the personal details of nine million customers have been accessed by "highly sophisticated" hackers.

The discount airline - currently mired by the grounding of flights because of the coronavirus crisis and a leadership tussle led by its founder - said it discovered the data breach in late January and was in the process of notifying those affected.

It stressed there was no evidence that data had been misused by criminals.

The Information Commissioner's Office (ICO), Britain's data watchdog, said it was investigating the incident.

Johan Lundgren is a 30-year travel industry veteran and former deputy CEO of TUI. Pic: easyJet

Easyjet said it believed that the email addresses and travel details of nine million people were exposed along with the credit card details of more than 2,200 customers.

The airline said passport and credit card details were otherwise secure.

According to Reuters the attack is thought to have been conducted by a suspected Chinese hacking group which has targeted multiple airlines in recent months.

More on Easyjet

Leicester band Easy Life

Easy Life legal row: The charity brand taking on easyGroup - and what happens next for Leicester band?

Leeds Festival - Day 4 ** STORY AVAILABLE, CONTACT SUPPLIER** Featuring: Easy Life Where: Leeds , United Kingdom When: 27 Aug 2023 Credit: Graham Finney/Cover Images  (Cover Images via AP Images) Pic: AP

Band sued by easyJet brand owners to change name

Listen to the Sky News Daily with Niall Paterson

Air traffic control chaos: Could it happen again? 

Related Topics:

Easyjet began to inform those whose card details were accessed in April and "following discussions" was now notifying other customers.

The reason that it had taken from January until April to contact people was because of the time taken "to understand the scope of the breach", which was "highly sophisticated", a spokesman said.

Easyjet's statement said: "There is no evidence that any personal information of any nature has been misused, however... we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing."

It added: "We're sorry that this has happened, and we would like to reassure customers that we take the safety and security of their information very seriously.

"Easyjet is in the process of contacting the relevant customers directly and affected customers will be notified no later than 26 May."

The company said it had been working with the Information Commissioner's Office (ICO) and National Cyber Security Centre since discovering the hacking.

An ICO spokesperson said: "We have a live investigation into the cyber attack involving easyJet.

"People have the right to expect that organisations will handle their personal information securely and responsibly.

"When that doesn't happen, we will investigate and take robust action where necessary."

British Airways, in the process of cutting 12,000 jobs to reshape itself for the future beyond the COVID-19 pandemic, is currently on notice from the ICO for a £183m fine over a similar breach in 2018 that coincided with tougher new powers for the regulator to punish sloppy protections.

Please use Chrome browser for a more accessible video player

General Secretary of BALPA, Brian Strutton

The details of 500,000 customers were compromised in that incident .

Easyjet's disclosure comes at a critical time for its leadership as it battles a series of challenges including a meaningful return to the skies as the coronavirus pandemic eases.

The airline's founder and biggest shareholder Sir Stelios Haji-Ioannou's family is also seeking to remove chief executive Johan Lundgren and three other members of the board in a shareholder vote due this Friday.

The row centres on a £4.5bn order for new planes from Airbus which Sir Stelios argues should be scrapped.

Sky News has previously revealed a bizarre twist over his offer of a £5m reward for information that leads to the deal being cancelled.

The tycoon wants the cash to be used instead to help the company emerge stronger from the pandemic crisis.

Easyjet has furloughed thousands of staff and borrowed £600m under a government-backed financing scheme.

Related Topics

BleepingComputer.com logo

EasyJet hacked: data breach affects 9 million customers

Lawrence abrams.

  • May 19, 2020

EasyJet

EasyJet, the UK's largest airline, has disclosed that they were hacked and that the email addresses and travel information for 9 million customers were exposed. For some of these customers, credit card details were also accessed by the attackers.

In a data breach notification disclosed today, EasyJet states that they have suffered a cyberattack, and an unauthorized third-party was able to gain access to their systems.

During this attack, the threat actors were able to access the email addresses and travel information for nine million customers. For approximately 2,208 customers, credit card details were also exposed.

"Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed.  Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed."

"Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed.   Action has already been taken to contact all of these customers and they have been offered support," EasyJet stated in a " Notice of cyber security incident ."

Once EasyJet learned of the attack, they notified the UK's National Cyber Security Centre and the ICO.

EasyJet states that they are notifying affected customers and that all of those affected will receive the notification by May 26th, 2020.

What should an EasyJet customer do?

If you are an EasyJet customer and are concerned you have been exposed or received a data breach notification, you should take the following steps.

As your travel information and email address have been exposed, you should be on the lookout for targeted phishing emails that utilize this info.

If you receive any emails about upcoming travel, do not reply with any sensitive information and instead go to easyjet.com to interact directly with the company.

Those whose credit card details were exposed should monitor their statements for any fraudulent activity and report anything detected immediately.

It is also suggested that you contact your credit card company, explain the situation, and request a new credit card and number to be safe.

BleepingComputer has contacted EasyJet for more information but has not heard back as of yet.

Related Articles:

FCC orders telecom carriers to report PII data breaches within 30 days

Verizon insider data breach hits over 63,000 employees

Mint Mobile discloses new data breach exposing customer data

Victoria court recordings exposed in reported ransomware attack

U-Haul says hacker accessed customer records using stolen creds

  • Credit Card
  • Data Breach
  • Personal Information
  • Previous Article
  • Next Article

Post a Comment Community Rules

You need to login in order to post a comment.

Not a member yet? Register Now

You may also like:

Healthcare

UnitedHealth confirms Optum hack behind US healthcare billing outage

LockBit

New ScreenConnect RCE flaw exploited in ransomware attacks

Sign in with Twitter button

Help us understand the problem. What is going on with this comment?

  • Abusive or Harmful
  • Inappropriate content
  • Strong language

Read our posting guidelinese to learn what content is prohibited.

Update Your Browser

This website is not compatible with Internet Explorer 9 or below, we recommend you update your browser.

Did you know

Old and outdated browser version have security issues and don't follow new web standards. By updating your browser you can element these issues and enjoy a feature rich experience.

Which browser should I choose?

Google Chrome more info | free download

Internet Explorer more info | free download

Mozilla Firefox more info | free download

EasyJet suffers large scale data breach and faces potential group litigation

What has happened.

On 19 May 2020, EasyJet confirmed that it was targeted in a highly sophisticated cyber-attack. The airline group said that email addresses and travel details of approximately nine million customers worldwide were accessed, out of which 2,208 customers had their credit and debit card details (including each card’s security code) accessed. EasyJet has also stated that there is no evidence that the compromised customer data has been misused.

EasyJet first became aware of the attack in January, but stated that due to the level of sophistication of the attack, it required time to understand the scope of the attack. EasyJet first informed those customers whose credit card details had been impacted in April.

What does this mean for EasyJet?

The impact of a large-scale data breach of a household name will likely lead Easyjet to suffer reputational damage. Easyjet will be investigated by the ICO and may face investigation by other relevant authorities. It is also facing a potential group litigation claim of up to £18 billion in respect of the breach.

1) Regulatory fine from the Information Commissioner’s Office

Organisations may face fines up to 4 per cent of global turnover or £17m, whichever is higher, from the UK Information Commissioner Office (the ' ICO' ) for breach of the General Data Protection Regulation (' GDPR ') and the Data Protection Act 2018 (' DPA 2018 '). Many will remember that the ICO issued its first intention to fine under GDPR and the DPA 2018 in July 2019. British Airways was fined £183.39m after personal information of half a million customers were compromised, and Marriott was fined £99.2m for a breach that exposed approximately 339 million guest records worldwide, of which 30 million relates to individuals in the EEA. The final decisions of both intended fines are yet to be published.

Whilst the ICO has indicated at the beginning of the Covid-19 pandemic that it would take an 'empathetic and proportionate' approach to assessing reported incidents and the airline industry is one of the worst hit industries during the pandemic, the number of customers affected by the EasyJet data breach is significant. Despite the fact that Easyjet claims the attack was sophisticated, penalty notices issued by the ICO in respect of previous fines (including a recent fine levied against Cathay Pacific) indicate that the ICO is likely to assess the level of sophistication of the attack in light of the resource available to the business as well as its compliance practice.

It is also uncertain to what extent the ICO would accept EasyJet’s explanations as to why the incident was not reported earlier, since suspicious activities were noticed back in January. Controllers are required to report a data breach to the ICO within 72 hours of becoming aware of it. The European Data Protection Board (previously Working Party 29) suggested in its guidance that a controller should be considered to have become 'aware' when it has a reasonable degree of certainty that a security incident has led to personal data being compromised.

2) Group litigation from the affected individuals

On 22 May 2020, PGMBM, a UK firm specialised in group litigation, issued a claim form in the London High Court and sought a group litigation order, which will allow PGMBM to conduct the claim on behalf of those affected individuals who decide to 'opt in' during a set period (in contrast of the 'opt out' style representative claims in Lloyd v Google [2019] EWCA Civ 1599 , which we previously discussed here ). PGMBM claimed that damages for each affected individual can be around £2,000 or more, which will bring the total value of the claim up to £18bn. It has been reported that about 10,000 customers from 50 countries have already joined the claim.

In relation to Lloyd v Google , Google has obtained permission to appeal earlier this year and the Supreme Court judgement is not expected until later this year at the earliest. If Mr Lloyd were successful in his claim, the case may provide some much needed insight into how damages will be assessed in data breach group litigation.

The Covid-19 pandemic has created the prime environment for cyber-attacks and data breaches, with individuals becoming more aware of their data subject rights and specialised firms widely promoting group litigation claims amid large scale data breaches, more group litigation claims are likely to emerge in response to data breaches over the next 12 -24 months.

Preventing and responding to a data breach

Organisations, both small and large, are at risk of sophisticated cyber-attacks, especially during the current pandemic when most organisations will have a proportion of their workforce working remotely. It is always recommended that organisations actively review and constantly improve their information security practice. The National Cyber Security Centre also provides useful guidance on managing security risk, protecting against cyber-attack, detecting cyber security events and minimising the impact of cyber security incidents.

When suspicious activities within the IT system are identified or reported, organisations should bear in mind that the 72-hour reporting window starts when it is reasonably certain that a data breach might have occurred. If for any reason the time limit cannot be met, organisations will need to be prepared to explain the reasons for the delay.

If you would like assistance with your data protection matters and managing data breach risks, please contac  David Varney in our Data Protection team .

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Related news and insights, finally here: the db funding and investment strategy regulations - key points and actions.

The final DB Funding and Investment Strategy Regulations are here. Whilst there are still related parts missing like the Code, here are the key points / actions

Burges Salmon continues growth with five new partner appointments

Employment law updates: important changes for employers, burges salmon guides santander uk, triple point and rabobank through latest financing round to support scotland-based battery energy storage project, burges salmon careers.

Lawsuit seeking billions in damages filed against EasyJet

By Jeff Stone

May 27, 2020

Easyjet lawsuit

Lawyers always seem to recognize a good data breach when they see one.

A British law firm, PGMBM, announced Tuesday it filed a lawsuit against EasyJet, the largest airline in the U.K., in connection with a security incident in which details about 9 million people were exposed. The firm is seeking up to £18 billion ($22 billion), including up to 30% in fees, or roughly £5.4 billion ($6.6 billion), for itself. The suit in London’s High Court follows similar legal action against British Airways, which announced its own data breach in 2018.

EasyJet said on May 19 that hackers had accessed travel information about up to 9 million people, and credit card details belonging to more than 2,000 people. While it remains unclear exactly when the breach occurred, the BBC first reported that EasyJet had learned of the attack in January, only to disclose it months later. Some customers have reported receiving EasyJet-themed phishing messages, according to the Register , though it remains unclear if the personal data lost in the breach is being used for fraud.

The U.K. Information Commissioner’s Office also said it is investigating the incident. The European Union’s General Data Protection Regulation requires breached organizations to report incidents involving personal information within 72 hours, under some circumstances.

PGMBM said much of its legal argument will rest on Article 82 of the GDPR, which guarantees the “right to compensation and liability” to “any person who has suffered material or non-material damage[.]”

PGMBM also has filed suit against British Airways for the breach there that resulted in the theft of information about 500,000 customers. The U.K.’s ICO fined British Airways £183.39 million ($229.2 million at the time) for security vulnerabilities that made it possible for hackers to insert malware onto digital payments systems. While British Airways has appealed the fine, the proposed punishment from the ICO was among the first major maneuvers that exposed regulators’ appetite for enforcing GDPR.

In February, the European Data Protection Board released a report in which 20 out of 27 countries said they do not have enough financial, technical or employee resources to enforce GDPR with timely investigations.

The lawsuit filed against EasyJet is a group litigation order, which is different from American class-action lawsuits. British GLOs could be more vulnerable to a range of legal challenges that could result in the lawsuits being delayed, or thrown out entirely, as the Register noted.

More Like This

Sec’s breach disclosure rule raises concerns about tipping off hackers to flawed systems, scammers target cloudflare ceo with silicon valley bank-themed spearphishing , uk threatens clearview ai with nearly $23m fine over its facial recognition tech, top stories, utilities trade association releases baseline cyber standards for distributed renewable energy, leaked documents show how firm supports chinese hacking operations, georgia election officials withheld evidence in voting machine breach, group alleges, more scoops.

EasyJet breach

EasyJet announces breach impacting 9 million people

point of sale, credit card, debit card, payment card, retailer

U.K. regulator dings tech retailer for breach that affected 14 million people

british airways gdpr fine

British Airways fined $229 million under GDPR for data breach tied to Magecart

Latest podcasts.

easy jet data breach

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam, how the fbi fights ransomware.

easy jet data breach

Cherilyn Pascoe on NIST’s strategy for federal cyber resilience

  • Microsoft rolls out expanded logging six months after Chinese breach
  • Biden signs executive order to give Coast Guard added authority over maritime cyber threats
  • Rob Joyce leaving NSA at the end of March
  • CISA releases 2024 priorities for the Joint Cyber Defense Collaborative
  • Apple rolls out quantum-resistant cryptography for iMessage
  • White House ramping up efforts to combat deepfakes
  • Google: Governments need to do more to combat commercial spyware
  • Meta’s Oversight Board slams company policies for manipulated media
  • Report: Manufacturing bears the brunt of industrial ransomware
  • FBI, British authorities seize infrastructure of LockBit ransomware group
  • Ukrainian national pleads guilty for roles in Zeus, IcedID malware operations
  • The tangled web of corporations behind the New Hampshire AI robocall 

Geopolitics

  • DOJ, FBI disrupt Russian intelligence botnet
  • Google: Iranian, regional hacking operations that target Israel remain opportunistic but focused
  • Feds: Chinese hacking operations have been in critical infrastructure networks for five years
  • State Department will not issue visas to individuals linked to spyware abuse

“Limited resources” scupper ICO probe into EasyJet breach

The decision to drop the probe has been described as “deeply concerning” by security practitioners

EasyJet aircraft cross each other while one of them taxies for take off at Orly International Airport on September 10, 2023 in Paris, France

The Information Commissioner’s Office (ICO) in the UK has abandoned its probe into the 2020 data breach at budget airline EasyJet due to “limited resources”. 

According to the watchdog, the continuation of an investigation into the data breach was not in its interests and failed to represent the best use of its resources. 

The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed. 

Information including names, email addresses, travel details, and credit card details was accessed in the breach.

Customers were warned at the time they could face heightened security threats, such as phishing , as a result of the breach. 

Confirming the decision to drop the investigation, a spokesperson for the watchdog said it still places a strong focus on enforcement of data protection rules and that “all data breaches reported to us are important”. 

Breached for years: How long-term cyber attacks are able to linger SEC data breach rules branded “worryingly vague” by industry body Data breach costs: Businesses lose 73% of their income in the year following an incident

“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” the spokesperson said. 

“It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organizations. 

“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”

The ICO said it’s currently in the process of transforming how it prioritizes and delivers activity to ensure “timely and transparent results”. 

The move is part of a concerted effort at the watchdog to prepare for the forthcoming Data Protection and Digital Information Bill , the spokesperson added. 

ICO decision could create wrong message

The decision to drop the probe has been met with criticism from security industry practitioners amid claims that it could send the wrong message to organizations in the future. 

Mike Newman, CEO of My1Login, said the decision is concerning given that British Airways was handed a £20 million fine for a “much smaller data breach”. 

“The industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” he said. 

“Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud, and identity theft . It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and could send out a very wrong message to other organizations.”

Get a roadmap to effective governance and increase resilience DOWNLOAD NOW

Barrier Networks CISO, Jordan Schroeder, echoed Newman’s comments on messaging. However, he insisted the ICO still appears firmly committed to enforcement and ensuring robust data protection standards across the UK. 

“This latest update could give off mixed messages and it will undoubtedly receive a lot of scrutiny, but it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated,” he said. 

“Organizations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously. These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”

Get the ITPro. daily newsletter

Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.

Ross Kelly

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at [email protected], or on Twitter and LinkedIn .

Two massive healthcare data breaches just exposed more than half of France's population

The Verizon data breach that exposed 63,000 employees is a reminder of how a simple mistake can have costly implications

Ivanti Connect Secure flaws have been targeted 250,000 times a day since January - and hackers show no signs of stopping

Most Popular

By Daniel Todd February 21, 2024

By Solomon Klappholz February 21, 2024

By George Fitzmaurice February 21, 2024

By Steve Ranger February 20, 2024

By George Fitzmaurice February 20, 2024

By Daniel Todd February 20, 2024

By Ross Kelly February 20, 2024

By George Fitzmaurice February 19, 2024

By Ross Kelly February 19, 2024

Go virtual in 3 steps, with Forrester

Delivering profitable hosting services at lower prices, unified endpoint management and security in a work-from-anywhere world, the power of ai & automation: proactive it.

  • 2 Surge in female computing degree applications shows the tide is slowly turning on tech sector gender diversity
  • 3 Kyndryl and Veeam unveil new global strategic alliance
  • 4 Adobe’s new AI assistant is here, and it wants to chat to you about PDFs
  • 5 Cloud security breaches surge on a wave of stolen credentials

easy jet data breach

easy jet data breach

  • Webinar I Future Proof Your Organization with an Integrated Approach to Enterprise Customer Decisioning •
  • Gaining Security Visibility and Insights Throughout the Identity Ecosystem •

Breach Notification , Cybercrime , Forensics

EasyJet Data Breach Exposes 9 Million Customers' Details

  • Credit Eligible
  • Get Permission

EasyJet Data Breach Exposes 9 Million Customers' Details

European budget airline EasyJet says it suffered a data breach that exposed 9 million customers' personal details.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

"Our investigation found that the email address and travel details of approximately 9 million customers were accessed," according to a notice of cybersecurity incident issued Tuesday by EasyJet, which is based at London Luton Airport, located 28 miles north of central London.

Affected customers will be contacted by May 26, EasyJet adds. "If you are not contacted then your information has not been accessed."

At the beginning of the year, EasyJet served 156 airports in 33 countries. But the airline grounded the majority of its fleet on March 24 due to countries' COVID-19 lockdowns and travel restrictions.

EasyJet says that email addresses and travel itineraries - but no passport information - were exposed in the breach. As part of its ongoing digital forensic investigation, the airline has also found that for a small number of customers - just 2,208 - payment card details were also "accessed" by attackers. "Action has already been taken to contact all of these customers and they have been offered support," it says.

The airline has yet to specify how attackers accessed its systems, when the data breach began, how long it lasted or when it was first detected. But the BBC reports that the breach began in January and that customers whose payment card data was accessed were notified in April.

EasyJet customer Samantha Burt, for one, received an alert from the airline on April 2 saying that her credit card information - including expiration date and CVV - was exposed.

Can I have some advice to my rights on this, I’ve had zero support from EasyJet apart from demanding my balance next week from an account that has now been hacked, I have requested cancel through a contact form over 60 days, no response. What do I do? pic.twitter.com/j6IFz0Uvan — Samantha Burt (@SamBurt04) April 2, 2020

CEO Issues Apology

"We would like to apologize to those customers who have been affected by this incident," says EasyJet CEO Johan Lundgren. "We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers' personal information."

EasyJet says the notification to customers has been done on the advice of the U.K. Information Commissioner's Office, in part because of heightened worries about phishing scams with a pandemic theme (see: Fresh Twist for Pandemic-Related Phishing Campaigns ).

easy jet data breach

"Owing to COVID-19, there is heightened concern about personal data being used for online scams," Lundgren says. "As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications."

The company says customers should be especially "cautious of any communications purporting to come from EasyJet or EasyJet Holidays."

EU Breach-Notification Rules

Under the EU's General Data Protection Regulation , enforced in the U.K. by the ICO, organizations must inform authorities within 72 hours of discovering a breach that involves people's personal information.

Similar rules are in effect too for the EU's Security of Network & Information Systems Regulations, aka NIS, which applies to essential services, including the transportation sector. The NIS requires covered organizations to notify their local regulatory authority - in the U.K., that's the ICO - "of any incident that has a substantial impact on the provision of your services."

The U.K. Civil Aviation Authority also has oversight of the NIS regulations - together with the government's Department for Transport - as they apply to the aviation sector.

All pertinent information that must be relayed to the regulator - within 72 hours of learning of the incident - may include "the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact," according to the ICO's guide to NIS compliance . The ICO also recommends all organizations filing an NIS incident report simultaneously alert the U.K.'s National Cyber Security Center.

"Major sanctions can be applied for falling foul of the NIS regime," attorney André Bywater, a partner at London-based Cordery, tells Information Security Media Group. But it's not clear yet if NIS might apply or be applicable to this incident. One factor might be whether or not the breach has had "a significant disruptive effect on the provision of so-called ‘essential services,’" which he says "is a very technically complex term." For comparison's sake, he also notes that the 2018 British Airways data breach, which the ICO is investigating, does not appear to have involved NIS.

String of Airline Breaches

EasyJet's breach alert follows other major airlines disclosing data breaches that led to the ICO enforcing fines for poor security practices.

In October 2018, Hong Kong-based Cathay Pacific Airways warned customers that it had suffered a four-year data breach that exposed personal information for more than 9 million passengers and customers, including 111,000 British citizens. In March, the ICO imposed a £500,000 ($612,000) fine against the airline, which was the maximum allowed for the incident, which occurred before GDPR and the potential for much greater fines came into effect (see: Cathay Pacific Airlines Fined Over Data Breach ).

In July 2019, the ICO published a notice of intent that it planned to impose a record-setting £184 million ($225 million) fine on British Airways after it suffered a September 2018 data breach that rerouted customers to a fraudulent site designed to steal their payment card data. The airline says about 500,000 customers were affected (see: British Airways Faces Record-Setting GDPR Fine ).

A final fine against BA, however, has yet to be set, and has been delayed multiple times due to the ongoing COVID-19 pandemic and the ICO saying it was slowing the pace of its enforcement efforts. Information Commissioner Elizabeth Denham has also said that the amount of the final fine might be lower, due to the extreme financial pressure now facing airlines (see: GDPR and COVID-19: Privacy Regulator Promises 'Flexibility' ).

Unanswered Breach Questions

With at least three big airlines having disclosed major breaches in recent years that included U.K. victims, one pertinent question is whether airlines are more prone to suffering data breaches.

"It does seem that airlines have more than their fair share of reported data breaches - for example, the ICO investigations into Cathay Pacific and BA,” attorney Jonathan Armstrong, a partner at Cordery, tells ISMG. "I wonder if they do in fact suffer more breaches or if the reporting culture in airlines, coupled with NIS and the need to report, in addition, sometimes to airline authorities, makes them just more open about reporting breaches."

Cue this rhetorical question from Armstrong: "Are they more vulnerable to breaches, or just more honest?”

  • API Security
  • Breach Notification
  • Fraud Management & Cybercrime
  • Fraud Risk Management
  • Geo Focus: The United Kingdom
  • Geo-Specific
  • Incident & Breach Response
  • Managed Detection & Response (MDR)
  • Security Operations

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

You might also be interested in …

Understanding Human Behavior to Tackle ATO & Fraud

Understanding Human Behavior to Tackle ATO & Fraud

OnDemand Panel | Resolving an Identity Crisis? Approaches, Impacts and Innovation for Fraud & KYC

OnDemand Panel | Resolving an Identity Crisis? Approaches, Impacts and Innovation for Fraud & KYC

Protect the Brand: Online Fraud and Cryptocurrency Scams

Protect the Brand: Online Fraud and Cryptocurrency Scams

Stronger Security Through Context-aware Change Management: A Case Study

Stronger Security Through Context-aware Change Management: A Case Study

Cybersecurity Talent Shortage: Combining In-House Expertise With Automation

Cybersecurity Talent Shortage: Combining In-House Expertise With Automation

Playing A New Hand: How Digitalization Is Reshuffling The Cards For Banks Worldwide

Playing A New Hand: How Digitalization Is Reshuffling The Cards For Banks Worldwide

Rapid Digitization and Risk: A Roundtable Preview

Rapid Digitization and Risk: A Roundtable Preview

The Role of Biometrics and KYC in Seamless Onboarding

The Role of Biometrics and KYC in Seamless Onboarding

Delving Deeper: 2023 Fraud Insights Second Edition

Delving Deeper: 2023 Fraud Insights Second Edition

Around the network.

How a Novel Legal Maneuver Got a Hospital's Stolen Data Back

How a Novel Legal Maneuver Got a Hospital's Stolen Data Back

How to Win a Cyberwar: Use a Combined Intelligence Strategy

How to Win a Cyberwar: Use a Combined Intelligence Strategy

How the Merck Case Shapes the Future of Cyber Insurance

How the Merck Case Shapes the Future of Cyber Insurance

Resilience: The New Priority for Your Security Model

Resilience: The New Priority for Your Security Model

Cyberwar: What Is It Good For?

Cyberwar: What Is It Good For?

XDR and the Benefits of Managed Services

XDR and the Benefits of Managed Services

Pushing the Healthcare Sector to Improve Cybersecurity

Pushing the Healthcare Sector to Improve Cybersecurity

Large Language Models: Moving Past the Early Stage

Large Language Models: Moving Past the Early Stage

Top Considerations for Complying With My Health My Data Act

Top Considerations for Complying With My Health My Data Act

Bolstering Healthcare Cybersecurity: The Regulatory Outlook

Bolstering Healthcare Cybersecurity: The Regulatory Outlook

Please fill out the following fields (all fields required):, subscription preferences:, operation success, risk management framework: learn from nist.

easy jet data breach

90 minutes · Premium OnDemand 

From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations' risk management capabilities. But no one is showing them how - until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 - the bible of risk assessment and management - will share his unique insights on how to:

  • Understand the current cyber threats to all public and private sector organizations;
  • Develop a multi-tiered risk management approach built upon governance, processes and information systems;
  • Implement NIST's risk management framework, from defining risks to selecting, implementing and monitoring information security controls.

Presented By

Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)

 alt=

EasyJet Data Breach Exposes 9 Million Customers' Details

Was added to your briefcase

Request to Republish Content

easy jet data breach

Email this Content

Just to prove you are a human, please solve the equation:

Join the ISMG Community

Register with an ismg account, already have an ismg account.

Sign in now

Need help registering? Contact support

Thank you for registering with ISMG

Complete your profile and stay up to date

Need help registering?

Contact Support

Sign in to ISMG

Sign in with your ismg account, don't have one of these accounts.

Create an ISMG account now

Forgot Your Password?

Enter your email address to reset your password, forgot your password message:.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

easy jet data breach

EasyJet Data Breach: 9 million passengers hacked. How to claim up to £2,000 in compensation

easy jet data breach

This story is updated on May 24, 2020

Major update:

  • easyJet data breach victims already filed a class action law suit to sue airline for up to £2,000 in compensation.
  • The court has already accepted the case and if you suffered from easyJet data breach.
  • We advise to act fast and submit request for free evaluation, so you can join the class action.

Victim of easyJet data breach? Submit a free request and join the class action to claim - up to £2,000 in compensation SUBMIT CLAIM NOW

Original article:

Data breach incident happened in 2019, but was only detected in January 2020 when EasyJet airline identified some suspicious activity. EasyJet reported a data breach to include email addresses, travel details, for some customers even credit card information was compromised. Case was reported to the UK's Information Commissioner's Office (ICO).

Large Impact of EasyJet data breach (high risk of phishing attacks)

As a result of the data incident, the 9 million people's personal information, to include email addresses, travel records were compromised. More than 2 thousand customers’ credit card details were compromised.

Stolen credit card data included credit card CVV code (three digital security codes), which is sensitive information that may allow bad actors to undertake fraudulent transactions.

Airline notified those passengers, whose credit card details were leaked, in April 2020.

According to EasyJet “ This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted ", as reported by BBC.

Airline informed passengers once investigation had progressed enough that the airline identified the scope of the breach and affected passengers.

The impact of the data breach could be far-reaching since EasyJet is the largest airline in the United Kingdom and flew 96.1 million passengers in 2019 alone. Those seven million passengers whose data may be compromised may be exposed to phishing attacks. Phishing is when bad actors send emails with links to fake websites that attempt to steal personal data, which results in identity theft and fraud.

EasyJet said it is committed to inform all affected passengers about such potential risks.

EasyJet stated that:

"there is no evidence that any personal information of any nature has been misused, however, on the recommendation of the UK's Information Commissioner's Office , we are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays."

In response to the breach, the ICO (the ICO is the UK's independent body that protects individuals’ information rights) said that it was investigating the data incident and that

"People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary."

Interesting stats according to recent surveys:

“ 1 out of 2 victims are notified by companies of data breach . On average it takes approx. 185 days for companies to react to data breach, so companies are slow to identify and respond to data incidents. if you have not been notified about data breach, it does not guarantee you were not affected. ”

So our experts at DataClaim recommend you to check with airlines and ICO (contact details below) and follow our checklist below to remain on the safe side.

EasyJet data breach puts 7 million passengers at risk of phishing attacks

With email information and travel records compromised passengers are exposed to increased risk of phishing attacks, since many people are cancelling flights due to COVID 19 and related restrictions. Fraudsters can set up a clone website, example EaseJet.com which will look very similar to the original website with the goal to elicit any more personal information (name, login details, credit card details).

What does it mean for you? If you ever flown with EasyJet, you should:

  • be very careful when you open and/or check any emails that come from the airline and you should check the sender information.
  • In case of doubt, we advise to create a new email or call the airline. This way you can reduce the risk.
  • Never click on any links asking for your personal information.
  • If you want to contact EasyJet airlines, you can refer to contact details below and in sources.

UK Airlines recent exposure to data security breaches

Not too long ago, British Airways had suffered a massive data breach in 2018, where personal information of half a million passengers was compromised. As a result British Airways received a record fine of £183 million, notably data breach compensation payouts to passengers could peak at £3 billion.

Example with British Airways shows that sometimes companies may not identify the full scope of the data breach, where BA initially reported 380,000 people affected by breach, which later was increased to half a million. So this might hold true in this case as well.

If you are a victim of British Airways data breach, submit a request for free evaluation. You might be owed up to £2,000.

Data breached? You might be owed to compensation up to £2,000 CHECK COMPENSATION RISK-FREE

EasyJet Potential Liability for a Data Breach

Under GDPR (General Data Protection Regulation), if EasyJet is proved to have mishandled passengers’ personal data, the airline could face a fine of up to 4% of its annual worldwide turnover.

In addition to penalties, airlines if found guilty may be liable to pay compensation to passengers whose personal information was compromised.

EasyJet Data Breach: Can I Claim up to £2,000 in Compensation under GDPR?

The GDPR allows for private claims for compensation, so there is a legal ground to bring a data breach compensation claim.

While there is no determination of negligence on part of the airline yet, it is quite likely. In such a case any affected passenger can bring a claim for compensation even in absence of economic damages. DataClaim can help you claim compensation risk-free.

Are you a victim of easyJet data breach? You might be owed up to £2,000 CHECK COMPENSATION RISK-FREE

EasyJet Data Breach: How much compensation can I claim?

It depends and will be decided by the judge depending on your case and any inconvenience or losses suffered. Our estimate that compensation can be up to £2,000 or higher , if you suffered any identity theft, fraud or other losses.

EasyJet Data Breach what to do - Top 13 things to do (checklist)

If you were affected by EasyJet data breach, here is what you should do:

  • Request to freeze credit card and get a new one, if the airline informed you that your credit card details were compromised
  • Change login and password for your EasyJet Flight Club or EasyJet Holidays profiles
  • If you use the same login and password for other accounts or bank accounts, change account access credentials
  • Use double authentication
  • Inform your bank or credit card company on increased risk of fraud
  • Check your bank account and credit card statements for suspicious activity
  • Don’t open unsolicited email from airline
  • Never click on any links in unsolicited email
  • Report any suspicious activity to airline (contact details below)
  • Submit a data breach complaint to ICO here
  • Keep any receipts of any of your expenses or any records of inconvenience or distress suffered
  • If the airline offers you anything, consider accepting it, BUT do it without waiver of your rights to bring a claim for compensation
  • Submit a request to DataClaim for free assessment of your claim. Don’t miss a chance to claim compensation up to £2,000 or more

If you have received a data breach notice from EasyJet, or you think your data might have been compromised, or you noticed suspicious activity, this indicates that you are likely a victim of data breach and you may be entitled to claim compensation up to £1,000 or more. Please submit your case as soon as possible, so we can investigate this for a potential compensation claim against

It is easy, just let us do all the work. Submit a request for free evaluation of your EasyJet case CLAIM COMPENSATION

EasyJet Airline Contact details

EasyJet telephone numbers (website link in sources)

United Kingdom Call 0330 365 5000

Austria Call 0820 320 950

Croatia Call 0601 90199

Denmark Call 458988 1032

France Call 0806141141

Germany Call 03021782171

Greece Call 211198 0013

Israel Call 97237630561

Italy Call 199201 840

Portugal Call 70750 0176

Mon-Fri: 09:00-17:00 (local time)

Spain Call 902599 900

Switzerland Call 0848 282828

Netherlands Call 0900 040 1048

Rest of World Call +44330 3655454

UK's Information Commissioner's Office (ICO) contact details:

Your can submit a complaint online link in sources below

With short deadlines, it is important to act quickly. Check if you are owed compensation - up to £2,000 Claim NOW

https://www.bbc.com/news/technology-52722626

EasyJet airline official website https://www.easyjet.com/en/help/contact

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/personal-information-concerns/

https://www.statista.com/statistics/734265/easyjet-passenger-figures/

Leave a comment

Only registered users can post comment

Was this post helpful?

Spread the word and share it with your friends!

Join the DataClaim Community

Be the first to know about latest data breaches.

Norton secured the whole process of claiming compensation

  • Data Privacy Rights
  • UK Data Breach Compensation
  • CCPA Breach compensation
  • GDPR Breach compensation
  • Check Your Compensation
  • Report a potential claim
  • Lawsuit list
  • Data breach settlements
  • About DataClaim
  • Data Breach News
  • Terms of use
  • Privacy notice

Claim'N Win

EASYJET DATA BREACH COMPENSATION

You could be eligible for up to £2,000/ €2,200 or more depending upon your individual circumstances., about the case.

EasyJet announced on the 19th May, 2020 that sensitive personal data of 9 million travellers had been exposed in a data breach. Despite notifying the UK’s Information Commissioner’s Office of the breach in January 2020, EasyJet waited four months to notify its customers.

The sensitive personal data leaked includes full names, email addresses and most disturbingly of all, travel data including departure dates, arrival dates and booking dates. In particular, the exposure of details of individuals’ personal travel patterns may pose  security risks to individuals and is a gross invasion of privacy.

Under Article 82 of the EU General Data Protection Regulation (EU-GDPR)  you have a right to compensation for inconvenience, distress, annoyance and loss of control of your data.

By joining CLAIM’N WIN’s group litigation today, together with people from all across the world, you have the best chance of ensuring you receive the highest compensation possible from EasyJet.

We do everything for you and make your claim simple.

If we are successful in recovering compensation for you, you will only pay us a maximum of 35% of your damages.

WHO ARE CLAIM'N WIN?

CLAIM’N WIN is the leading class action law firm in the United Kingdom. We currently are leading a class action against British Airways following their data breach. If you join the action, you could not be in better hands.

DATA SECURITY

Hold EasyJet to account for inadequately ensuring data security.

FINANCIAL GAIN

If eligible, you could receive thousands of pounds or euros in compensation.

WE MAKE IT SIMPLE

CLAIM'N WIN will ensure that the process is simple and straightforward.

FREQUENTLY ASKED QUESTIONS

Q. how much compensation will i receive, q. will i have to go to court, q. what will it cost me to bring the claim against easyjet, q. how long does it take to sign up, q. what information do i need to submit to sign up, q. how do i know if i'm eligible for compensation, q. when can i expect to receive my compensation, q. how will you bring my claim, q. what laws are being used to bring the claim against easyjet, q. will i have to pay easyjet’s costs if the claim is lost, q. i work for easyjet, am i still eligible to join this proposed group litigation, q. how much does claim'n win take in fees.

A maximum of 35% of your compensation.

easy jet data breach

  • 03330 155 900

easyJet Data Breach Compensation Claim

AirHelp and PGMBM are joining forces to fight for your rights.

easy jet data breach

AirHelp and PGMBM are joining forces to fight for your rights

Were you affected by the easyJet Data Breach 2020?

You could be entitled to compensation from easyJet for the breach of y our personal data . ​

Were you affected by the  easyJet Data Breach 2020?

What is the easyJet Data Breach?

easyJet announced on 19   May 2020 that personal data of 9 million customers  had been exposed in a data breach.

Despite notifying the UK’s Information Commissioner’s Office of the breach in January 2020 , the airline waited until May 2020 t o notify its customers, four months after the event took place. 

Customers who booked easyJet flights or holidays between  17 October 2019 and 4 March 2020  were informed of their involvement in the breach via email. 

About the claim

Which personal details were compromised.

The personal data breached includes:

  •  Full names   •  Email addresses   •  Travel data (including highly personal information about your departures, arrivals, and booking dates).

The exposure of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy.

easyJet also revealed that about 2,200 passengers had their credit card data stolen , including expiry dates and CVV numbers.

What did easyJet do to help?

Despite the discovery of the data breach in January 2020, easyJet waited four months to notify their customers that their data had been compromised. 

Customers who had their personal information breached, but had not specifically had their financial details taken , were told by easyJet to simply continue “to be alert as you would normally be, especially with any unsolicited communications.”

Customers whose financial details were accessed were offered a 12-month membership to a credit file checking service to allow them to monitor any suspicious use of their identity.

Are you eligible to join the easyJet Data Breach?

More than 9 million people were affected by the easyJet data breach, and PGMBM is already representing thousands of them .

If you received an email from easyJet between April and July 2020 notifying you that your data had been breached, you are eligible to join our claim to hold easyJet accountable.

As both PGMBM and easyJet are based in the UK , we can legally bring claims on behalf of all affected customers irrespective of where they live.

Claim compensation for the easyJet Data Breach now

Join our group action against easyJet today and join thousands of people from all around the world who have also been affected by the easyJet Data Breach.

PGMBM are group action litigation experts and are currently the lead solicitors representing thousands of clients affected by the British Airways Data Breach 2018.

By joining the easyJet Data Breach Claim today , our dedicated team will make your claim for compensation simple and stress free.

We understand the severity of having your data breached and the financial loss, distress, and inconvenience it can cause .

It is time to hold easyJet to account for its poor security arrangements by   claiming compensation now. 

Why should you claim?

While the breach of basic information such as your full name and email address may not seem too damaging at first glance , it could be part of the data required by cyber criminals to:

•  Open new accounts •  Make purchases •  Commit criminal activities in your name.

Article 82 of the EU General Data Protection Regulation (EU-GDPR) states that you have a right to compensation for non-material damage.

This means those affected are entitled to compensation for the stress, frustration, and anxiety associated with the breach.

If you received the data breach notification email from easyJet, whether you noticed any direct consequences or not , you have the right to seek compensation for the loss of control of your data and the serious risks associated with it.

Data security:

The security of your data is important and it is time to hold large companies accountable.

Financial gain:

You could receive significant compensation if you are eligible.

We make it simple:

It takes under a minute to start your claim.

Join the easyJet claim with PGMBM

PGMBM is a top international law firm and we are passionate about giving victims a voice against corporate wrongdoing.

We have specialist expertise in group claims and are currently litigating against several multinational corporations including VW, Mercedes, Uber, BHP, British Airways, and many more.

PGMBM are the lead solicitors in a similar claim against British Airways, currently supporting thousands of customers in their compensation claims.

We will do everything in our power to hold easyJet to account and obtain the compensation that we believe our clients deserve.

By joining PGMBM’s group action with thousands of other affected easyJet customers you have the best chance of receiving the highest compensation possible.

It takes under a minute to sign up. Get started now.

easy jet data breach

We have specialist expertise in group claim s and are currently litigating against several multinational corporations including VW, Mercedes, Uber, BHP, British Airways, and many more.

By joining PGMBM’s group action with thousands of other affected easyJet customers you have the best chance of receiving the highest compensation possible .

It takes under a minute to sign up . Get started now.

Yes. As both easyJet and PGMBM are based in the UK, we can bring claims on behalf of all affected clients irrespective of where they live.  

We cannot currently put a final figure on this, but our team of expert solicitors and barristers are aiming to win as much money as possible. We believe this could be up to £2,000 depending on individual circumstances.  

The easyJet Data Breach claim is being litigated as a group action, meaning it grows stronger as more people sign up. If you know anyone who may have been affected, please encourage them to join the claim.  

We will keep you updated as the case progresses.  

It will not cost you a penny to sign up to join the claim. By acting on a No-Win, No-Fee basis, you will only pay a percentage of the damages awarded to you if the case is successful.   If we don’t win the case, you will not pay anything. We will cover all the legal fees, court fees, and insurance costs. All you need to do is submit your details to our Chatbot and we will advise you on how to move forward.  

To join our claim, the main piece of information you will need is a notification email from easyJet, which was sent between April and July 2020. 

The email had the subject line ‘Cyber Security Incident’ and stated that those affected were individuals who booked easyJet flights or holidays between 17 October 2019 and 4 March 2020.  

It is important that you have retained this email to be able to claim, so please check your junk and spam folders, too. Aside from the notification email, all you will need is your name, email address, and phone number.

It takes under a minute to start your sign up and begin the process to claiming your compensation.  

To start your claim, all you need to do is submit your name, email address, home address, and phone number via our Chatbot.   We will then send you a short questionnaire to confirm your eligibility and gather some further information.   Once we have carried out all the necessary checks, we will contact you to let you know if your application to join the claim has been successful. There’s nothing further to do at this point except sit back and let us do all the legal work!

We aim to update you on the progress of your claim every three months.   

Don’t forget, you do not pay anything to sign up, so why wait?  

If you received an email from easyJet about your involvement with the breach between April 2020 and July 2020, you are eligible to join the claim. To claim compensation, you will need access to the email.  

Once you have submitted your details to us, we will review it and determine your eligibility.  

There are no risks or initial costs involved, and all your information is kept secure and confidential.  

We appreciate that you may not keep emails from a year ago and so we are doing our best to assist you with this problem. Please still get in touch with us if you think you received the notification email but no longer have access to it.   Don’t forget to ch eck your junk and spam emails for a message titled ‘ Cyber Security Incident ’.  

PGMBM is committed to successfully resolving your claim as soon as possible. However, the case is still in the early stages and we cannot put a time frame on how long it may take at this point.  

You will not pay anything unless the case is successful. If the case is won, you will be charged a maximum of 30% of your compensation.  

No. You will not have to pay anything if we don’t win the claim, provided that you keep to the terms of our sign up documents. This is what we mean by No-Win, No-Fee.  

There is currently no time limit in place. However, the court will implement a cut-off date in due course so we advise that you sign up as soon as possible.  

The claim will be processed as a group action, meaning we will litigate on behalf of all our claimants under one ‘umbrella’. This makes the claim stronger, faster, and easier to move forward.  

All of our claims are carried out in this way, meaning our team are highly skilled in this form of litigation. With PGMBM, you can rest assured that your claim is in good hands and that you have the best possible chance of compensation.  

Group action claims are strengthened by the amount of people who sign up, so, if you know anyone else who may have been affected, please encourage them to join.  

Your claim will be brought to court under the Data Protection Act 2018, which incorporates the GDPR.   

We believe that easyJet have misused your private information and breached your privacy, which will be the focus of our argument.   

Yes, everyone affected by the data breach is entitled to claim and we will guide you through every step of the process.   Don’t wait: Join now.  

easy jet data breach

Here to help air passengers

AirHelp is the world’s largest air passenger rights company.

Since 2013, we have helped over 16 million travellers understand their rights and claim compensation for flight disruption like delays and cancellations.

Our fight for justice for air passengers leads us to stand up to airlines in court, campaign for national governments to introduce fair air travel rights, and push for fair passenger compensation, including for data privacy violations.

PGMBM: your best chance for compensation

PGMBM is a top international law firm combining the talents of some of the UK’s leading solicitors and barristers.

Our lawyers are some of the brightest and the best in their fields, giving you the best chance of success with your claim. The breadth of experience they possess is unparalleled, having worked for governments, multi-national organisations and NGOs, as well as being leaders of the trial bar in their respective countries.

We are responsive, we are dynamic, and we think big.

Follow us on social media to learn more about our cases and  values.

easy jet data breach

PRIVACY POLICY | COMPLAINTS POLICY

PGMBM (a trading name of PGMBM Law Ltd) – SRA License Number 512898

PGMBM is authorised and regulated by the Solicitors Regulation Authority and complies with the Solicitors Code of Conduct, a copy of which can be located here .

Badge

Follow us on social media to learn more about our cases and values.

PGMBM (a trading name of PGMBM Lw Limawted) – SRA License Number 512898

Badge-p4zqxpk7fufu3rnx0iw05q294cvwiuq2j5tjdyz8zu

13/01 09:00 Our Chatbot is currently unavailable due to scheduled maintenance. Please call us on 03330 155 900 or try again later

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

easy jet data breach

Online Grocery-Deliverer Sheds Customers’ Data-Breach Lawsuit

By Tre’Vaughn Howard

A federal judge dismissed a proposed class action against online grocery-delivery company Weee! Inc. over a data breach, finding that two former customers failed to allege an injury.

Tyson Liau and Richard Teng lacked standing to sue because the leak only disclosed low-risk data such as their name, addresses, and phone numbers, the US District Court for the Southern District of New York said. The plaintiffs also said they were injured by spam calls and texts, but they didn’t show such annoyances were beyond those typically faced by consumers or were even traceable to the breach.

The court considered “‘three ...

Learn more about Bloomberg Law or Log In to keep reading:

Learn about bloomberg law.

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.

IMAGES

  1. easyJet Breached: 9 Million Travelers Exposed

    easy jet data breach

  2. The Easyjet Major Data Breach

    easy jet data breach

  3. EasyJet admits massive data breach via cyber-attack

    easy jet data breach

  4. EasyJet data breach affects 9 million customers

    easy jet data breach

  5. A look into GDPR and the late Easy Jet Breach

    easy jet data breach

  6. EasyJet Suffered Data Breach Exposing 9 Million Travel Records

    easy jet data breach

VIDEO

  1. bollywood actors having private jet

  2. How to Make an Easy Jet Paper Airplane

  3. Easy Jet A320N

  4. easy jet project in progress

  5. Easy jet flight 5607

  6. EASY JET AIRCRAFT

COMMENTS

  1. EasyJet admits data of nine million hacked

    Reuters EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers. It said email addresses and travel details had been stolen and that...

  2. EasyJet data breach

    The EasyJet data breach was a cyberattack on the computer systems of British airline EasyJet. [1] [2] Discovery EasyJet first learned of the cyberattack at the end of January 2020. [1] [2] Approximately nine million people were affected with the credit card details of 2,208 also accessed. [1]

  3. EasyJet faces £18 billion class-action lawsuit over data breach

    According to the firm, easyJet's data breach took place in January 2020, and while the ICO was apparently notified at this time, customers were not informed until four months later. CNET:...

  4. 9 million EasyJet customers hit by data breach: What to do now

    The BBC reported that EasyJet learned of the breach in January and notified customers whose credit cards were compromised in early April. If you've got an online account with EasyJet, it...

  5. EasyJet admits data of nine million hacked

    Reuters EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers. It said email addresses and travel details had been stolen and that...

  6. EasyJet faces group legal claim over cyber attack data breach

    EasyJet is facing a legal claim brought by thousands of its customers after the airline last month said the personal details of about 9m passengers were breached by a cyber attack. About 10,000...

  7. EasyJet to be sued over customer data breach

    "This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet's customers," said PGMBM managing partner Tom Goodhead.

  8. EasyJet reveals cyber-attack exposed 9m customers' details

    Tue 19 May 2020 07.13 EDT EasyJet has revealed that the personal information of 9 million customers was accessed in a "highly sophisticated" cyber-attack on the airline. The company said on...

  9. easyJet Says Details of Nine Million Customers Accessed in Data Breach

    News 19 May 2020 James Coker Deputy Editor, Infosecurity Magazine Follow @ReporterCoker easyJet has revealed that the personal data of approximately nine million of its customers has been accessed following a "highly sophisticated" cyber-attack on its system.

  10. EasyJet: Nine million customers' details 'accessed' by hackers

    Image: EasyJet is the latest airline to have fallen victim to a data breach Why you can trust Sky News. Easyjet has revealed that the personal details of nine million customers have been accessed ...

  11. TeamPassword

    ‏‏‎ ‎ The Fallout from the 2020 EasyJet Data Breach EasyJet's fate is still to be determined. The ICO is conducting its investigation into the matter and, judging by what happened to British Airways, EasyJet will likely receive a fine.

  12. EasyJet hacked: data breach affects 9 million customers

    In a data breach notification disclosed today, EasyJet states that they have suffered a cyberattack, and an unauthorized third-party was able to gain access to their systems. During this attack ...

  13. EasyJet suffers large scale data breach and faces potential group

    On 19 May 2020, EasyJet confirmed that it was targeted in a highly sophisticated cyber-attack. The airline group said that email addresses and travel details of approximately nine million customers worldwide were accessed, out of which 2,208 customers had their credit and debit card details (including each card's security code) accessed.

  14. EasyJet breach affecting 9 million results in massive GDPR lawsuit

    Lawyers always seem to recognize a good data breach when they see one. A British law firm, PGMBM, announced Tuesday it filed a lawsuit against EasyJet, the largest airline in the U.K., in connection with a security incident in which details about 9 million people were exposed. The firm is seeking up to £18 billion ($22 billion), including up to 30% in fees, or roughly £5.4 billion ($6.6 ...

  15. "Limited resources" scupper ICO probe into EasyJet breach

    The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed. Information including names, email addresses, travel details, and credit card details was accessed in the breach.

  16. EasyJet Data Breach Exposes 9 Million Customers' Details

    In October 2018, Hong Kong-based Cathay Pacific Airways warned customers that it had suffered a four-year data breach that exposed personal information for more than 9 million passengers and ...

  17. EasyJet Data Breach: 9 million hacked. Claim £2,000 in compensation

    Major update: easyJet data breach victims already filed a class action law suit to sue airline for up to £2,000 in compensation. The court has already accepted the case and if you suffered from easyJet data breach. We advise to act fast and submit request for free evaluation, so you can join the class action.

  18. EasyJet Data Breach

    full names email addresses travel data (booking details such as dates, departure and arrival locations, etc.) Moreover, the company disclosed that the credit card details of more than 2,200 passengers were stolen. Such financial and personal data breaches may lead to serious consequences threatening the security risk of affected passengers.

  19. Key Takeaways from the EasyJet Data Breach

    Admitting mid-May to a data breach, EasyJet became yet another victim of lax data security as they confirmed that nine million customers' personal data was compromised, including travel plans, email addresses, and credit card details of more than 2,000 customers. Nine million EasyJet customers must now increase their vigilance against ...

  20. Easyjet Data Breach Compensation

    EASYJET DATA BREACH COMPENSATION You could be eligible for up to £2,000/ €2,200 or more depending upon your individual circumstances. SEE IF YOU CAN CLAIM ABOUT THE CASE EasyJet announced on the 19th May, 2020 that sensitive personal data of 9 million travellers had been exposed in a data breach.

  21. What the EasyJet Data Breach Means for Your Business

    EasyJet's data breach involved the following types of personal data: Email addresses; Travel details (i.e. information about flight bookings) Credit card details (of 2,208 customers) Due to the risks of identity theft and financial loss, it was clearly necessary for EasyJet to report its data breach to the ICO.

  22. easyJet Data Breach

    About the easyJet data breach claim. On the 19th May 2020, easyJet announced they were victim to one of the UK's largest ever data breaches. Around nine million easyJet customers had their personal data accessed, including, names, email addresses, travel details and, in some cases, their credit card details. It left many customers concerned ...

  23. easyJet Data Breach Compensation Claim

    More than 9 million people were affected by the easyJet data breach, and PGMBM is already representing thousands of them. If you received an email from easyJet between April and July 2020 notifying you that your data had been breached, you are eligible to join our claim to hold easyJet accountable. As both PGMBM and easyJet are based in the UK ...

  24. Sunak Faces Potential UK By-Election Spurred by Tory Scandal

    UK Prime Minister Rishi Sunak faces a potential special election triggered by the downfall of a scandal-hit Conservative lawmaker, threatening a fresh test of his authority after the Tories lost ...

  25. Online Grocery-Deliverer Sheds Customers' Data-Breach Lawsuit

    Inc. over a data breach, finding that two former customers failed to allege an injury. Tyson Liau and Richard Teng lacked standing to sue because the leak only disclosed low-risk data such as their name, addresses, and phone numbers, the US District Court for the Southern District of New York said. The plaintiffs also said they were injured by ...