← All breach guides

easyJet data breach — exercise your GDPR rights

In May 2020, easyJet disclosed a 'highly sophisticated' cyberattack that exposed the email addresses and travel details of approximately 9 million customers. For 2,208 of those customers, full credit card details — including CVV security codes — were stolen. The attack is believed to have begun in January 2020 but was not disclosed until May. easyJet processes extensive personal data including booking history, passport details for checked-in passengers, and payment records.

⚖️ Regulatory action: The UK ICO opened a formal investigation into easyJet following the 2020 breach. All 9 million affected customers were notified and advised to be vigilant against phishing. The ICO's investigation did not result in a publicised monetary fine. Affected customers have pursued class action litigation.

What happened

2020 9 million customers affected

Attackers accessed easyJet's systems in a cyberattack disclosed in May 2020. Approximately 9 million customers had email addresses and travel itinerary details exposed. A subset of 2,208 customers had full credit card details stolen, including CVV security codes. The breach is believed to have occurred from January 2020 but was not discovered and disclosed until May.

Data exposed:
  • Email addresses
  • Travel itinerary details (routes, dates)
  • Credit card numbers (2,208 customers)
  • Credit card expiry dates (2,208 customers)
  • CVV security codes (2,208 customers)

What you can do

If you have ever booked a flight with easyJet, your email address and travel history were almost certainly exposed in the 2020 breach. A GDPR subject access request will confirm what data easyJet holds — including all booking history, payment records, and any passport or identification data — and whether it was included in the breach.

You have two key rights under GDPR:

Note: easyJet plc is the data controller for UK and EU passenger data. Submit your request to the Data Protection Officer, easyJet plc, Hangar 89, London Luton Airport, Luton, LU2 9PF, UK. Privacy portal ↗

Generate your access request

This letter is pre-addressed to easyJet plc, the official EU data controller for easyJet.

To: easyJet plc
Hangar 89, London Luton Airport, Luton, LU2 9PF, United Kingdom

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: