, , , ,

Is EasyJet deliberately downplaying the impact of its data breach?

EasyJet hit the headlines when it was revealed that the email addresses and travel details of nine million people and the financial details of 2,208 customers had been breached. But at Hayes Connor, we’re not convinced that the budget airline comprehends how significant this breach is. Or, if it does, it certainly isn’t owning up to it.

EasyJet claims there is no evidence that any personal information has been misused

In a statement admitting to the EasyJet data breach, the company said that “there is no evidence that any personal information of any nature has been misused”. But it can’t possibly know what the impact of this hack will be. Just because it doesn’t look like the data has been misused yet, doesn’t mean that it won’t be.

According to an article in The Independent, personal information “drives a higher price on the dark web” and “could be used for organised crime or ransomed”. Another article claims that “Airlines hold valuable personal information [that] could all be used by criminal organisations to commit identity fraud or further phishing campaigns as part of a larger operation”. Furthermore, most cybersecurity experts agree that it is too soon to say what has and will happen with EasyJet’s hacked customer data.

Certainly, we would advise anyone involved to beware of the following risks:

  • The risk of phishing. Victims of the EasyJet data hack could be targeted by phishing scammers. Phishing occurs when a cybercriminal poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information. In particular, EasyJet is advising customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays
  • The risk of financial fraud/theft. Over 2,200 customers had their credit card details accessed in the EasyJet data hack. With enough financial information, cybercriminals can set up fraudulent bank accounts and access your existing accounts. They can also make payments using your data, and even apply for credit/loans
  • The risk of COVID-19 scams. Hackers will likely try to take advantage of people who are cancelling flights because of the pandemic. What’s more, people are more susceptible to scans when they are already anxious, and the combination of being hacked and coping with the pandemic is likely to cause additional stress. So you must be on your guard.

EasyJet isn’t acknowledging the potential emotional impact of the data breach

On its website, EasyJet says that it won’t be paying compensation to most customers. It states that:

“Apart from the very small subset of customers who we have already notified, no credit card details have been impacted.  We therefore do not expect there to be any financial loss caused by this incident.  We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications”.

This statement proves that EasyJet is not taking responsibility for its failure to protect personal customer information.

The impact of the EasyJet data breach is likely to go much further than financial losses. And, EasyJet does the nine million customers who haven’t had their financial data stolen a disservice to assume otherwise.

A personal data breach is a 21st-century version of being burgled. And, following a robbery, people often feel shock, anger, fear, helplessness and panic. Some will go on to suffer from psychological problems, and existing conditions are often exacerbated.

Renowned clinical psychologist Professor Hugh C. H. Koch is an expert on the typical psychological effects experienced by victims of data breaches. He told us:

“Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.”

Thankfully, over the last few years, people are waking up to the reality of mental health and there is a greater awareness about the lasting effects of physiological suffering and anguish. What’s more, the law recognises the emotional damage that can be caused by a data protection failure, so EasyJet shouldn’t be allowed to get away with it.

EasyJet took months to let customers know they were at risk

EasyJet knew about the hack as far back as January. So why did the airline take four months to warn customers that hackers had their personal information? Especially as, under the General Data Protection Regulation (GDPR), if a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”, organisations inform those individuals without undue delay.  Even customers who had their credit card details stolen in this hack were not told until early April.


Do you want to hold EasyJet to account?

At Hayes Connor, we have been contacted by people concerned that EasyJet has breached their data; many of whom are understandably upset and anxious about the breach.  In response, we are now registering victims of this breach to a no-win, no-fee group action.


To become part of our EasyJet group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us. We will also keep you updated about developments in this case as they happen.

There are no costs to register and no obligation to proceed.