Dutch DPA fines Transavia for poor personal data security


The Dutch Data Protection Authority (DPA) has fined the airline Transavia €400,000 for poor personal data security. Due to this poor security, a hacker was able to break into Transavia’s systems in 2019, in which he could have potentially had access to the data of 25 million passengers. It has been determined that the hacker actually downloaded the personal data of 83,000 people.

'When you book a flight, you entrust your personal data to the airline,' said Katja Mur, member of the DPA board.

'The airline needs this information to organise your flight. But your data is also useful to criminals who can use it to steal your identity or try to trick you into giving them money through, for example, WhatsApp fraud.'

'So you need to be able to rely on the airline to handle your data with care and make sure it is well secured. Transavia failed to do that.'

Password easy to guess

The hacker broke into Transavia’s systems in September 2019 using two of the company’s IT department accounts.

There were three security flaws that made it simple for the hacker to do this:

  • The password was easy to guess.
  • Only the password was needed to enter the system. There was no multi-factor authentication in place requiring a person or system to provide two or more verification factors to gain access, such as a password and a code sent by text message.
  • Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This is because the access rights connected to these accounts were not restricted to necessary systems only.

25 million people

The hacker had access to Transavia’s systems from September to November 2019, when Transavia ended the data breach.

Transavia reported the data breach to the AP in time and informed the parties involved. After having become aware of the data breach, Transavia immediately took many measures to better protect personal data.

The hacker had access to the personal data of 25 million passengers, including names, dates of birth, gender, email addresses, telephone numbers, flight information and booking numbers.

There is no evidence that the hacker actually viewed or copied all of this data, but he could have because of the poor security.

Personal data downloaded

The hacker did, however, download the personal data of around 83,000 people, including a list of passenger data from 2015 containing names, dates of birth and flight information.

The data also included medical information of 367 people who had for example requested to take a wheelchair with them or additional services because they were blind or deaf.

Very serious

Ms Mur said, 'It is very serious that a hacker was able to access the personal data of millions of people by breaking into the system with a very simple password. One that for years has been at the top of the list of most-used passwords, like "123456", "Welcome" and "password".'

'And that’s not all: other important barriers that would have made it difficult for a hacker to gain entry were not in place.'

Dramatic increase in data theft

The DPA warned in its 2020 report on data breaches (in Dutch only) that there had been a dramatic increase in the number of hacks aimed at stealing personal data.

The number of hacks reported in 2020 was 30% higher than in 2019. Data theft can often be prevented by improving security measures.

International investigation

The investigation was international in nature because Transavia serves customers from many different countries. Transavia’s head office is in the Netherlands, so the Dutch DPA conducted the investigation but it consulted with data protection authorities in other European countries as well.

What’s next?

The decision on the fine is final. Transavia did not lodge an objection.