EasyJet 'slap on wrist' shoots down £18bn class action

The Information Commissioner’s Office appears to have put the kibosh on yet another data protection class action after it has emerged that EasyJet has escaped with little more than a slap on the wrist for its mass data breach, which saw the personal details of 9 million customers compromised, and the credit card details of just over 2,200 stolen.

The move has only just emerged following a Freedom of Information request – filed by Mishcon de Reya senior data protection specialist Jon Baines – about reprimands made under GDPR between May 2018 and November 2021.

Reprimands are not made public by the ICO even though it publicises the fines it issues.

The document reveals that EasyJet actually informed the ICO about the breach in late 2019, months before it told its customers and the media in May 2020.

The May announcement immediately triggered an £18bn class action claim from law firm PGMBM (formerly SPG Law) and by June more than 10,000 customers had signed up seeking compensation for the loss of their personal information.

PGMBM cited Article 82 of GDPR, which gives customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

Even so, at the time, the airline insisted there was no evidence that the data had been “misused” and said the online channels affected by the attack had been closed.

In response to the legal threat, EasyJet said: “We are aware that a class action law firm has filed a claim against EasyJet in the High Court and that other firms are advertising their services to do the same. This is not uncommon and just because these firms are advertising does not mean they have a strong claim.”

In fact, EasyJet knew the claim was virtually groundless as it had already received the ICO’s private reprimand in November 2019 – six months before going public.

The FOI response shows that EasyJet is one of 42 organisations which have been given reprimands since GDPR came into force, with other high profile brands including TSB, Asda, Morrisons, Zoom and Bupa.

One of the most recent – and potentially most controversial – is that US cloud and education software giant Blackbaud only received a reprimand for its 2020 data breach, which hit nearly 170 UK universities and charities, compromising bank account information and users’ passwords of some customers.

Blackbaud, which also admitted paying off a ransomware demand to get the data back, was cautioned in September this year.

An ICO spokeswoman told The Register: “The ICO’s aim is to protect people from poor organisational practices that put their personal information at risk. We have a range of powers to help us do that, including issuing reprimands and warnings to ensure the right policies and practices are in place. If we find that organisations have not made changes as set out in reprimands, or if any further incidents or complaints are reported to us, we can consider further regulatory action.”

The FOI document is a further blow to the “no win, no fee” data privacy compensation lawyers following last month’s ruling in the Supreme Court which means legal firms will now need to have solid proof of the damages that a data breach has caused.

Share with friends and colleagues

Related Articles