Transavia airline fined for weak security practices that led to data breach
The Dutch Data Protection Agency has levied a €400,000 ($455,000) fine today against Transavia, a Dutch airline that operates low-cost routes across Europe, for a security breach that allowed a hacker to steal the personal details of more than 83,000 passengers.
The fine pertains to a security breach that Transavia publicly disclosed in February 2020.
Breach could have affected 25 million passengers
But in a press release today, the DPA said that after an investigation into the incident, the agency ruled that the airline was at fault.
Dutch officials said that Transavia used weak security practices, such as easy-to-guess passwords and no two-factor authentication (2FA), which allowed a hacker to gain control over the accounts of two of its IT staff employees.
From these accounts, the hacker stole a file with the personal details of 83,000 passengers that traveled with the airline between January 21 and January 31, 2015.
Stolen data included passenger first names, last names, dates of birth, flight details, booking numbers, and additional services purchased by passengers, such as extra luggage or medical assistance costs.
The DPA said that for 367 passengers, these extra costs revealed if the passengers were physically impaired, such as needing to board with a wheelchair or if the passengers needed help because they were blind or deaf.
But while the actual data stolen by the hacker was small in size, the DPA said that the same Transavia employee accounts that the hackers hijacked also had access to systems that housed the details of more than 25 million airline customers.
“There are no indications that the hacker also viewed or copied this data, but the possibility was there due to the poor security,” the DPA said today in a press release announcing the fine.
Transavia used simple passwords, no 2FA
“It is very serious that a hacker could have access to the personal data of millions of people by entering the system with a very simple password,” said DPA board member Katja Mur.
“Truly a password that has been at the top of lists of most used passwords for years, along the lines of ‘123456,’ ‘Welcome’ and ‘password’,” she added.
“And not only that: other important barriers to make it difficult for a hacker were also missing,” Mur said.
A Transavia spokesperson did not return a request for comment.
Earlier this year, the same DPA also fined hotel booking website Booking.com €475,000 ($560,000) for reporting a 2018 security incident 22 days after it happened, in breach of EU GDPR regulations that dictate that all breaches must be disclosed within 72 hours.
On Wednesday, Dutch TV station NCR reported that the same Booking.com was also hacked by a US intelligence contractor in 2016, who stole reservation details for hotels in the Middle East.