Lawyers always seem to recognize a good data breach when they see one.
A British law firm, PGMBM, announced Tuesday it filed a lawsuit against EasyJet, the largest airline in the U.K., in connection with a security incident in which details about 9 million people were exposed. The firm is seeking up to £18 billion ($22 billion), including up to 30% in fees, or roughly £5.4 billion ($6.6 billion), for itself. The suit in London’s High Court follows similar legal action against British Airways, which announced its own data breach in 2018.
EasyJet said on May 19 that hackers had accessed travel information about up to 9 million people, and credit card details belonging to more than 2,000 people. While it remains unclear exactly when the breach occurred, the BBC first reported that EasyJet had learned of the attack in January, only to disclose it months later. Some customers have reported receiving EasyJet-themed phishing messages, according to the Register, though it remains unclear if the personal data lost in the breach is being used for fraud.
The U.K. Information Commissioner’s Office also said it is investigating the incident. The European Union’s General Data Protection Regulation requires breached organizations to report incidents involving personal information within 72 hours, under some circumstances.
PGMBM said much of its legal argument will rest on Article 82 of the GDPR, which guarantees the “right to compensation and liability” to “any person who has suffered material or non-material damage[.]”
PGMBM also has filed suit against British Airways for the breach there that resulted in the theft of information about 500,000 customers. The U.K.’s ICO fined British Airways £183.39 million ($229.2 million at the time) for security vulnerabilities that made it possible for hackers to insert malware onto digital payments systems. While British Airways has appealed the fine, the proposed punishment from the ICO was among the first major maneuvers that exposed regulators’ appetite for enforcing GDPR.
In February, the European Data Protection Board released a report in which 20 out of 27 countries said they do not have enough financial, technical or employee resources to enforce GDPR with timely investigations.
The lawsuit filed against EasyJet is a group litigation order, which is different from American class-action lawsuits. British GLOs could be more vulnerable to a range of legal challenges that could result in the lawsuits being delayed, or thrown out entirely, as the Register noted.