2020 was a fairly bonkers year for obvious reasons. At the peak of Tiger King, banana bread, and furiously checking whether your walk outdoors was legal or not, Easyjet were yet another multi-million corporation caught up in a GDPR breach.
On the 21st May 2020 Easyjet contacted customers whose personal information had been compromised in one of the biggest data breaches post-GDPR in the UK. Customers who had booked a holiday or flight between October 2019 and March 2020 (so as you would imagine an awful lot) have been affected. More than 9 million customers were affected by the hack; which saw not only their full name, addresses, and travel data compromised (all heavy enough security risks for a person), but also bank card details.
This wasn’t even Easyjet’s biggest blunder of that time. If anyone was misfortunate enough to have booked a holiday with them just before this time (raises hand) that was rendered illegal due to covid, several months were spent trying to reach someone, anyone at all, within the company that could help them with a refund. Despite being legally obliged to refund cancelled flights/holidays within 7 days, consumers (many subject to redundancy/reduced furlough pay/left high and dry by Westminster as a self-employed person falling outwith their ridiculously strict criteria for help) where the refunded money for a holiday booked when they lived a different life was the difference that month between heating or eating. Instead of stepping up and using the pandemic as a chance to prove their trust rating to consumers, which at the most cynical business perspective is a logical step to take – they did everything possible they could to swerve customers. They closed their phone lines, bounced emails, and those persistent enough or in a dire enough situation to be persistent enough to achieve some kind of resolution; were fobbed off with useless-in-covid travel vouchers. This wasn’t symptomatic of an airline industry dealing with a new and scary happening. Many organisations (Jet2 you angel we’re looking at you) got more staff on the tools, implemented WFH very quickly, and made well sure customers rightfully got their cash back.
This is a very relevant stage to push s75 protection. If you pay for anything over £100 on your credit card up to just over £60k, your credit card company is jointly and severally liable in this situation. In its simplest terms you usually get your cash back from the credit card company and the credit card company (with far greater resources) can then continue to chase the recovery for themselves. If under £100 your credit and debit card provider can initiate a chargeback, but it’s close to being goodwill on the basis of how good the company is.
Easyjet treated their customers with as much contempt in the data breach as they did with the covid-refunds. Despite reporting to the ICO themselves in January 2020 – so they’d have avoided the commercial covid-crush had they acted appropriately – it took them 4 months to report to affected consumers what they did and failed to do.
Thompsons Solicitors were the very first firm to raise a group action in Scotland. It’s also very likely we’re going to litigate the first data breach group action in Scotland, should Easyjet not come to the negotiating table first. If you have been affected by the Easyjet scandal Talk to Thompsons today on 0800 0891 331 to register your details with our specialist GDPR team.
Blog by Catherine McGarrell, Solicitor