Details:
| Summary | The Dutch DPA has fined airline Transavia EUR 400,000. In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia’s systems through two accounts held by the company’s IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 367 cases, the data included medical information of people who had requested, for example, wheelchair transportation or additional services because they were blind or deaf. The DPA noted that a lack of security measures allowed the hacker to access the systems. Thus, it was possible to access the airline’s systems simply by entering the password. The systems did not incorporate multi-factor authentication. Furthermore, the access rights of the accounts were not limited to necessary systems, allowing the hacker to use them to gain access to multiple Transavia systems. The DPA found that Transavia had breached its duty to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. |
| Link: | link link |
| Related articles: | Art. 32 (1), (2) GDPR |
| Type: | Insufficient technical and organisational measures to ensure information security |
| Fine: | EUR 400,000 |
| Sector | Transportation and Energy |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/