[BreachExchange] EasyJet faces £18 billion class-action lawsuit over data breach

Tue May 26 10:18:50 EDT 2020

https://www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/

UK budget airline easyJet is facing an £18 billion class-action
lawsuit filed on behalf of customers impacted by a recently-disclosed
data breach.

Made public on May 19, easyJet said that information belonging to nine
million customers may have been exposed in a cyberattack, including
over 2,200 credit card records.

The "highly sophisticated" attacker to blame for the security incident
managed to access this financial information, as well as email
addresses and travel details. EasyJet is still contacting impacted
travelers.

The carrier did not explain how or exactly when the data breach took
place, beyond that "unauthorized access" has been "closed off."

The National Cyber Security Centre (NCSC) and the UK's Information
Commissioner's Office (ICO) have been notified, of which the latter
has the power to impose heavy fines under GDPR if an investigation
finds the carrier has been lax in data protection and security.

Last year, British Airways faced a "notice of intent" filed by the ICO
to fine the airline £183.4 million for failing to protect the data of
500,000 customers in a data breach during 2018.

Top 5 tactics to combat breaches

With everyone working remotely, its more crucial than ever to make
sure sensitive data doesn't fall into the wrong hands. In this eBook,
deep dive into IAM (Identity and access management) tactics to create
an effective defense to keep your data secure.

White Papers provided by One Identity

However, easyJet has a more immediate legal concern due to law firm
PGMBM, which has issued a class-action claim with a potential
liability of £18 billion, or up to £2,000 per impacted customer.

The lawsuit has been filed in the High Court of London on behalf of
customers. According to the firm, easyJet's data breach took place in
January 2020, and while the ICO was apparently notified at this time,
customers were not informed until four months later.

"The sensitive personal data leaked includes full names, email
addresses, and travel data that included departure dates, arrival
dates, and booking dates," PGMBM says. "In particular, the exposure of
details of individuals' personal travel patterns may pose security
risks to individuals and is a gross invasion of privacy."

The class-action lawsuit leans on GDPR legislation which gives
consumers the right to claim compensation when their information is
compromised in security incidents.

Tom Goodhead, PGMBM Managing Partner said the "monumental" data breach
is a "terrible failure of responsibility that has a serious impact on
easyJet's customers."

EasyJet told ZDNet that the company "will not be commenting on this matter."

In related news this month, Verizon's latest Data Breach Investigation
Report highlights how a common factor in data breaches, the
misconfiguration of cloud-based repositories and buckets, continues to
a problem of which the scale is being made more apparent due to
increased reporting.

Furthermore, Verizon says that configuration errors are now a rising
trend in data breaches, alongside malware variants including scrapers,
the use of stolen credentials, and phishing.