Back in 2020, over nine million EasyJet customers had their personal information hacked. The huge breach is one of the UK’s biggest ever data privacy failures. Despite the magnitude of the attack, the UK’s data protection authority has ceased its investigation into the incident. As a result, EasyJet avoids facing any financial penalties for its failure to safeguard customer data.
What happened in the EasyJet data breach?
The personal details of nine million EasyJet customers, along with the financial data of over 2,000, was accessed in a sophisticated cyber-attack. Those impacted had booked flights between 17th October 2019 and 4th March 2020.
Despite the airline’s assurances that no evidence of financial harm surfaced, Action Fraud confirmed numerous reports linked to the EasyJet data breach. Disturbingly, some victims fell prey to identity theft and fake ticket fraud. One individual claims to have suffered a loss of £2,750 in the aftermath of the cyber-attack.
Even in cases where there are no financial losses, the emotional toll of such violations can be severe. Recognising this, the law acknowledges the profound impact a breach can have on mental well-being, permitting individuals to seek compensation for any resulting psychological anguish.
Why isn’t EasyJet being fined for the data breach?
In August 2023, the Information Commissioner’s Office (ICO) terminated its investigation into the EasyJet data breach. The ICO is the UK’s data protection regulator. Following serious breaches of the UK’s data protection laws, it has the power to issue fines of up to £17.5 million or 4% of an organisation’s annual worldwide turnover, whichever is higher. For example, following a data breach at British Airways, the airline was eventually fined £20 million by the ICO in 2020. In this case hackers harvested the data of almost 400,000 customers.
Despite the scale of the EasyJet hack, the ICO has dropped its investigation into the matter blaming “limited legal and investigative resources”. Worryingly, lawyers believe that the decision appears to be based on how overloaded the regulator is, rather than the merits of the case. According to data breach solicitors KP Law “We should all be incredibly concerned if the ICO is so under-resourced that it cannot hold big companies to account for their serious data protection failings.”
So, has EasyJet got away with it?
Not quite. Following large scale data breaches there are two ways to hold companies to account:
- Make a report to the ICO. The ICO will decide whether or not to investigate the breach, and has the power to fine companies if poor security measures made the hack possible.
- Make a data breach claim. Even if the ICO does issue a fine, this money does not go to victims of the breach. The only way people can force a company to pay compensation for its failure to protect their data rights is to take legal action.
Making an EasyJet data breach claim is easy
If you booked flights with EasyJet from 17 October 2019 to 4 March 2020 and have been notified that your data was involved in the breach, you could have a NO-WIN, NO- FEE compensation claim.
Our simple eligibility checker provides instant clarity. Answer a few straightforward questions, and you’ll know if you could qualify for an EasyJet data breach group action claim.