Dutch SA fines Transavia for poor personal data security

Background information

• Date of final decision: 23 September 2021
• Cross-border case: cross-border case
• If cross-border, LSA: Netherlands
• and CSAs: Ireland, France, Belgium, Denmark, Poland, Cyprus, Italy, Baden-Württemberg, Austria, Finland, Sweden, Slovakia, Hungary, Berlin, Bavaria private sector, Norway, Rineland Palatinate, Spain, Portugal, Croatia, Iceland, Slovenia
• Controller:  Transavia Airlines C.V.  
• Legal Reference: Security of processing. Article 32 (1) and (2)
• Decision: Infringement of the GDPR, administrative fine
• Key words: Security of processing, data security breach

Summary of the Decision

Origin of the case

The Dutch Supervisory Authority (SA) started this investigation after a data breach notification by Transavia.

Key Findings

Due to poor security of personal data, a hacker was able to break into Transavia’s systems, in which he could have potentially had access to the data of 25 million passengers. It has been determined that the hacker actually downloaded the personal data of 83,000 people. The hacker broke into Transavia’s systems in September 2019 using two of the company’s IT department accounts. There were three security flaws that made it simple for the hacker to do this:

• The password was easy to guess.
• Only the password was needed to enter the system. There was no multi-factor authentication in place.
• Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This is because the access rights connected to these accounts were not restricted to necessary systems only.

Decision

The Dutch SA has fined Transavia €400,000.

For further information:  Dutch DPA fines Transavia for poor personal data security