Is EasyJet deliberately downplaying the impact of its data breach?

Easyjet data breach

In May 2020, EasyJet hit the headlines when it was revealed that the email addresses and travel details of nine million people and the financial details of 2,208 customers had been breached. But it is not clear if the budget airline comprehends how significant this breach is. Or, if it does, it certainly is not owning up to it.

EasyJet claims there is no evidence that any personal information has been misused

In a statement admitting to the EasyJet data breach, the company said that “there is no evidence that any personal information of any nature has been misused”. But it cannot possibly know what the impact of this hack will be. Just because it does not look like the data has been misused yet, doesn’t mean that it won’t be.

According to an article in The Independent, personal information “drives a higher price on the dark web” and “could be used for organised crime or ransomed”. Another article claims that “Airlines hold valuable personal information [that] could all be used by criminal organisations to commit identity fraud or further phishing campaigns as part of a larger operation”. Furthermore, most cyber security experts agree that it is too soon to say what has and will happen with the hacked customer data.

Certainly, we would advise anyone involved to beware of the following risks:

  • The risk of phishing. Victims of the EasyJet data hack could be targeted by phishing scammers. Phishing occurs when a cybercriminal poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information. In particular, EasyJet is advising customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays
  • The risk of financial fraud/theft. Over 2,200 customers had their credit card details accessed in the EasyJet data hack. With enough financial information, cybercriminals can set up fraudulent bank accounts and access your existing accounts. They can also make payments using your data, and even apply for credit/loans
  • The risk of COVID-19 scams. Hackers will likely try to take advantage of people who are cancelling flights because of the pandemic. What’s more, people are more susceptible to scans when they are already anxious, and the combination of being hacked and coping with the pandemic is likely to cause additional stress. So, you must be on your guard.

EasyJet is not acknowledging the potential emotional impact of the data breach

On its website, EasyJet says that it won’t be paying compensation to most customers. It states that:

“Apart from the very small subset of customers who we have already notified, no credit card details have been impacted.  We therefore do not expect there to be any financial loss caused by this incident.  We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications”.

But the impact of the EasyJet data breach is likely to go much further than financial losses. And EasyJet does the nine million customers who have not had their financial data stolen a disservice to assume otherwise.

A personal data breach is a 21st-century version of being burgled. And, following a robbery, people often feel shock, anger, fear, helplessness, and panic. Some will go on to suffer from psychological problems, and existing conditions are often exacerbated.

Thankfully, over the last few years, people are waking up to the reality of mental health and there is a greater awareness about the lasting effects of physiological suffering and anguish. What is more, the law recognises the emotional damage that can be caused by a data protection failure, so EasyJet is unlikely to get away with it.

EasyJet took months to let customers know they were at risk

EasyJet knew about the hack as far back as January. So why did the airline take four months to warn customers that hackers had their personal information? Especially as, under the General Data Protection Regulation (GDPR), if a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”, organisations inform those individuals without undue delay.  Even customers who had their credit card details stolen in this hack were not told until early April.

Do you want to hold EasyJet to account?

We are now registering victims of this breach to a no-win, no-fee group action.

To become part of our EasyJet group action, we need you to register with us. We will then keep you updated about developments in this case as they happen. There are no costs to register and no obligation to proceed.

In March 2024, our firm changed its name to KP Law. 

Share this article: