An £18 billion group class action has been filed against easyJet by customers impacted by a large-scale data breach.

International law firm PGMBM said it has issued a class action claim in the High Court of London with a potential liability of £18 billion. This means customers may be entitled to compensation of £2,000 each.

The move follows the budget airline’s announcement it had been the subject of a “highly sophisticated cyber-attack” on May 19 in which the email addresses and travel details of around nine million customers were accessed as well as the credit card details of 2,208 customers.

The law firm said that although the airline had announced the breach on May 19, it actually occurred four months earlier, in January, and said easyJet had failed to notify its customers until now.

PGMBM said it was taking the action under Article 82 of the EU General Data Protection Regulation (EU-GDPR), which gives customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

The firm is seeking a group litigation order and urging all those affected to come forward and join the claim for compensation.

Managing partner Tom Goodhead said: “This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around the world.”