How EasyJet customers could make money out of the airline being hacked

Lawyers are undoubtedly going to make some cash too.

How EasyJet customers could make money out of the airine being hacked

If you were one of the many EasyJet customers who received an email from the airline disclosing that your personal information may have been accessed by hackers, you might be eligible for compensation.

Law firm PGMBM has issued a class action claim on behalf of airline travellers impacted by the data breach, which made the headlines last week when EasyJet shared details publicly – months after it first realised it had been hacked.

The law firm estimates that each affected person may be able to claim up to £2000 in compensation. As nine million EasyJet customers are thought to have had their data exposed by the security breach, the action has a potential liability of £18 billion.

Sign up to our free newsletter.
Security news, advice, and tips.

And, according to PGMBM, you don’t have to provide any evidence that you have lost any money to claim compensation:

“Under Article 82 of the EU General Data Protection Regulation (EU-GDPR) you have a right to compensation for inconvenience, distress, annoyance and loss of control of your data.”

PGMBM is operating the claim on a “no win, no fee” basis, and affected members of the public aren’t putting themselves in any financial risk by participating in the group action. If the class action isn’t successful, PGMBM’s insurance will cover any of the costs. If the class action is successful, then PGMBM will collect 30% of claimants’ compensation.

Maybe they’ll invest some of that money into making slightly slicker videos.

PGMBM, formerly known as SPG Law, previously launched a £500 million group action against British Airways after it suffered a serious data breach that spilt 500,000 payment card details. The law firm currently represents around 6,000 people affected by the British Airways breach, and there’s still an opportunity until January 2021 for others to join the group action.

British Airways was subsequently hit with a record fine of £183 million by the Information Commissioner’s Office (ICO) .

More details of the EasyJet class action, and an FAQ, are available on a website set up for the group action: theeasyjetclaim.com.

There’s a part of me that isn’t a huge fan of law firms racing in hours after a data breach in announced, trying to make a pile of money. But there’s a larger part of me that really doesn’t like organisations having slack security and not properly protecting their customers’ personal data.

Ultimately if the fear of post-hack financial loss won’t make companies take data security more seriously, what will?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

17 comments on “How EasyJet customers could make money out of the airline being hacked”

  1. JoeC

    British Airways has yet to be fined by the ICO who have pushed back actually imposing the fine on multiple occasions now.

    1. Bob Lewington · in reply to JoeC

      Under section 82 my wife's was affected by this mrs Lynn lewington & had to change details we would like to be compensated

      1. Terry · in reply to Bob Lewington

        I was one of those affected my wife suffers with anxiety and stress so you can imagine how she felt

        1. Brad · in reply to Terry

          I would recommend all to read the information provided by PGMBM, if I have understood this information correctly:
          1. They acknowledge that the BA fine has not resulted in any payments to private individuals.
          2. Their "no win no fee" is slightly misleading, they state that they will probably take out insurance against the possibility of losing the case and having to pay costs to Easyjet, the premium cost will have to be paid by those signing up with PGMBM in the event costs are awarded to Easyjet.
          3. PGMBM are looking for payments from each individual in the event that the case is won of 30%, to cover their costs, and a further 30% as their fee.

  2. Phil

    If it takes no-win, no-fee leeches to apply a heavy financial penalty, so be it.
    Corporations have to start taking our privacy seriously enough to protect our data

  3. J K Isherwood

    Unfortunately these things happen. ‘Ambulance chaser’ type companies should put their efforts into finding and prosecuting the perpetrators rather than ‘kicking someone that’s already down’. During these unprecedented timed we should be working together to make life easier. If it is proven that individuals have lost finances as a result of this hack they are The ones due compensation-no one else.

    1. lee · in reply to J K Isherwood

      I disagree, companies now the regulation and the requirements and if they have a data breach they should be hit by fines and class action claims. I know of large companies that add GDPR fines in to their risk register and calculate their security response based on that fine; by bringing class action cases in to the mix this means they can no longer calculate the risk (based on money values only) and therefore do not mitigate by procuring cyber insurance or creating a GDPR pot.

      As for these unprecedented times, this data breach occurred in January before this all started so feel that the only people hit by this during the unprecedented times are 9 million people that are not risking credit fraud etc. Easyjet did not inform these people for 4 months, in breach of GDPR, and therefore deserve all the fines and class action claims that are coming to them.

      GDPR and security in general should be about protecting the individual and EasyJet have not done this, if it was a mistake the ICO will fine to suit and this will be the basis of any claim against them. But it is likely that even if the fine is small any claim will be successful as EasyJet have clearly not followed the regulations by trying to brush everything under the carpet for 4 months.

  4. Malcolm Russell

    Having received the email from EasyJet I’ve been one of the affected EasyJet customers.
    The email only suggests that my personal details have been taken and they believe my credit cards details were not accessed…guess what? A day after getting the EasyJet email my credit card details used for the EasyJet booking was stolen and used four times! I think their breach is bigger than they think! If you get get this email saying they don’t think your CC details have been accessed I’d assume they may have been!!!

    1. Graham Tookey · in reply to Malcolm Russell

      Hmmm, dubious, given that the data breach was in January and they have only just revealed the details and sent the emails out. Stolen details would have been used at the time of the breach before people were aware and blocked their credit cards

  5. Jack

    Some law firms are totally unethical, and could even pay hackers to steal data in order to be able to take the companies to court

  6. Malc

    What a World we live in…these parasitic lawyers only offer to get compensation as they make money from this.
    Ok yes companies should be held responsible but come on Easy Jet is an airline and a very efficient and successful airline. They are not specialist data protectors…go after the perpetrators of this crime not the airline…
    A sad World we live in if we only want compensation…!!!

  7. Lou

    I'm curious, how will this company obtain the details of customers to enable them to pursue compensation?

  8. Js

    Sure! We would all like to receive payouts from this, but remember one thing.
    Easy jet gives us cheap flights to far off destinations…..which are a lot more expensive through the likes of KLM and BA….You can't expect this to be the case…"excuse the pun". If they are hit with a massive fine. Fares will go through the roof or they will go to the wall..!!

  9. David Esp

    If they were lax – not up to the industry-standard/expected level of protection (e.g. stupid passwords, unencrypted information) then fair enough (and I for one would be happy to accept compensation in air miles). But if this happened despite their best endeavours, surely they should be supported, not hit (beyond having had to "bolster" their systems). Too much hatred and scapegoating in these times – standard meat-machine ego/control assertion within chaos?

  10. Sandra Layton

    I have received an email from Easyjet saying my flight and travel dates have been hacked, but not the Credit Card or a passport information! This now put my home as a prime target for Burglary. If we decide to travel it will be worrying whilst we are away!

    I think we should receive some form of compensation from Easyjet!

  11. Thomas D Dial

    In the US, such lawsuits are relatively common. They usually end in a negotiated settlement in which each plaintiff attorney receives a very large payment and each participating plaintiff receives a pittance. Over the years, I have received various small payments from such settlements, probably averaging less than $2, and sometimes in the form of discount coupons for a product for which I had no need or wish to purchase.

    The largest was in the Sony Playstation 3/Linux case in which my recollection is that the judge rejected a payment of about $30 because he thought it too small, and a payout of $50 – $60 was proposed. I completed the forms and submitted proof I had purchased a Playstation 3 and a copy of Yellow Dog Linux during the appropriate time period (and dusted off the Playstation and saw it actually boot and operate). I received, quite a few months later, a postcard that was a check for $10 and change.

    I consider these lawsuits to be distinguishable only with difficulty from organized criminal racketeering for which, in other contexts, we have laws that carry long prison sentences. It saddens me a bit to see we have exported them to other countries.

  12. Graham Tookey

    Absolute disgrace if you sign up to this law suit, this would be the end of Easy Jet and cheap flights. I had the email saying my flight details had been hacked but not my credit card etc. So now the hackers know when 9 million of us are going away, or not as the case will most likely be! Do you really think they are planning 9 million burglaries? These hackers are capable of beating even the most robust data protection systems and more often than not, do it just to prove they can so we shouldn't be hounding Easy Jet for compensation they can ill afford to pay. Or maybe you can put the money you might receive down as a deposit for your next flight with whatever airlines might be left standing

Leave a Reply to Brad Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.