The lawsuit aims to secure up to £2,000 per impacted customer.

UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach.

Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyberattack, including over 2,200 credit card records.

The “highly sophisticated” attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers.

The carrier did not explain how or exactly when the data breach took place, beyond that “unauthorized access” has been “closed off.”

The National Cyber Security Centre (NCSC) and the UK’s Information Commissioner’s Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security.

Last year, British Airways faced a “notice of intent” filed by the ICO to fine the airline £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.

However, easyJet has a more immediate legal concern due to law firm PGMBM, which has issued a class-action claim with a potential liability of £18 billion, or up to £2,000 per impacted customer.

The lawsuit has been filed in the High Court of London on behalf of customers. According to the firm, easyJet’s data breach took place in January 2020, and while the ICO was apparently notified at this time, customers were not informed until four months later.

“The sensitive personal data leaked includes full names, email addresses, and travel data that included departure dates, arrival dates, and booking dates,” PGMBM says. “In particular, the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy.”

The class-action lawsuit leans on GDPR legislation which gives consumers the right to claim compensation when their information is compromised in security incidents.

Tom Goodhead, PGMBM Managing Partner said the “monumental” data breach is a “terrible failure of responsibility that has a serious impact on easyJet’s customers.”

EasyJet told ZDNet that the company “will not be commenting on this matter.”

In related news this month, Verizon’s latest Data Breach Investigation Report highlights how a common factor in data breaches, the misconfiguration of cloud-based repositories and buckets, continues to a problem of which the scale is being made more apparent due to increased reporting.

Furthermore, Verizon says that configuration errors are now a rising trend in data breaches, alongside malware variants including scrapers, the use of stolen credentials, and phishing.