In May 2020, easyJet (the UK-based low-cost airline) disclosed that it had suffered a cyberattack in which approximately 9 million customers had their email addresses and travel details exposed, and 2,208 customers had their credit card details stolen including CVV codes. EasyJet became aware of the attack in January 2020 but took until May 19, 2020 to notify customers — a delay that drew criticism and scrutiny from the UK Information Commissioner’s Office (ICO), which can issue fines under GDPR. The ICO investigated the breach. The airline described the attack as ‘highly sophisticated.’ The incident prompted a class-action lawsuit filed by law firm PGMBM on behalf of approximately 10,000 customers, which sought up to £18 billion in aggregate damages. EasyJet notified the 2,208 customers whose credit card details were stolen by April 4, 2020, but waited an additional six weeks to notify the broader 9 million customers — a prioritization that raised questions about GDPR breach notification obligations (which require notification within 72 hours of becoming aware). The breach occurred during the COVID-19 pandemic, at a time when the aviation industry was under severe financial stress.