Dutch DPA fines Airline company due to insufficient security measures
Locations
On 23 September 2021 the Dutch DPA fined the Dutch airline company Transavia € 400.000 due to insufficient security measures of personal data with regard to the risks connected to the data processing activities.
In 2019, Transavia became a victim of a hack. Due to the insufficient security measures, the hacker was able to access the internal systems of Transavia. The hacker was able to enter by using so-called password sprays and/or credential stuffing. Password sprays involves the use of common passwords by the hacker to access the systems. Credential stuffing means that a hacker uses commonly known login data or other access data of users to access the systems.
After Transavia noticed the breach in October 2019, it started a digital forensic investigation together with a third party. The hack was meant to explore the files in the systems of Transavia, but the hacker also made sure to copy some documents such as corporate files and six email inboxes. It was not until November 2019 that Transavia regained control over its internal systems and solved the breach.
The hacker had gained access with a lot of access rights to the internal systems. As a consequence, the personal data of passengers, suppliers and employers were downloaded from the systems. The numbers were around 80,000 passengers, 200 suppliers and 3000 employees. Furthermore, by just accessing the systems, the hacker had gained access to the personal data of no less than 25 million data subjects. The following personal data was involved:
- Passengers: first name, surname, date of birth, flight information and SSR-code;
- Suppliers: first name, surname, business email address, email address and phone number;
- Employees: 10 Curriculum Vitae, first name, surname, phone number, email address, address and date of birth.
After Transavia noticed the breach, the Dutch DPA and data subjects were all informed.
Security measures in place
Prior to the hack, Transavia used two types of accounts for its users, "user accounts" and "generic accounts". The first type of accounts involved different individuals while the second group of accounts was targeted at multiple persons and multiple systems onto which automatic login was possible.
The Dutch DPA notified Transavia about the fact that the security measures in place were insufficient in order to safeguard the entrance of the systems. Especially since Transavia mentions in its password policy that two-factor authentication is required. However, in practice this was not the case. That is why the hacker was able to get access to so many data sets in such an easy manner. Transavia meant to implement its password policy but this project was delayed numerous times. The user and generic accounts never switched to two-factor authentication. Another issue was the fact that Transavia did not take all required measures in order to separate all internal systems. The hacker could easily access multiple systems. This is striking because it is customary to give users access only to the parts of the systems they need.
Assessment AP
The AP found that although Transavia had established a password policy and also performed periodic security checks, these checks showed that the company's own security policy was not being complied with. Moreover, the AP blamed Transavia for not having set up multi-factor authentication on time and for not having noticed that bad passwords were being used. The fact that a malicious party was then able to access a large part of the Transavia systems could have been prevented if Transavia had kept its internal systems separate.
Therefore, the AP rules that prior to the breach it was indeed possible to take sufficient measures to prevent a hack. In short, Transavia took insufficient measures while these were available and therefore does not comply with Article 32 of the General Data Protection Regulation. In addition, the adverse consequences for those involved can translate into immaterial and material damage. Transavia also processed special categories of personal data, so that such an infringement could also lead to discrimination and fraud. Under the penalty policy rules of the AP, the penalty is set at € 400,000 in view of the circumstances.
Takeaway
It is important for companies to identify the risks involved in processing personal data. In addition, it may be wise to consult with processors, as they may have more knowledge and can estimate what security measures are necessary. Multi-factor or two-factor authentication and the establishment of strict access rights to certain parts of the internal systems are two examples of common but necessary security measures. It is wise to periodically check within one's own organisation whether personal data are sufficiently protected and whether additional measures are necessary.
If you have any questions as a result of this article, please contact us.