Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.) – €55,400 Fine (Hungary, 2020)

The Hungarian DPA (NAIH) imposed a fine of HUF 20,500,000 (EUR 55,400) on Robinson Tours Idegenforgalmi és Szolgáltató Kft. (Robinson Tours Ltd.) The travel agent's reservation system contained unprotected data of customers, which could be viewed by anyone and found via Google. The data contained, among others, names, contact and address data, copies of personal IDs and passport numbers. During the DPA's investigation, it turned out that the data in question was from a test database created by Next Time Media Agency Ltd, the web agency contracted to develop and operate the database, which was supplemented not only with test data but also with real data of Robinson Tours' customers. In total, the data of 781 individuals was affected, which was accessible by anyone in the period from November 13, 2019 to February 4, 2020. The NAIH also notes that Robinson Tours did not conduct regular security risk screenings. Robinson Tours also failed to notify the data subjects about the data breach.