Transavia – €400,000 Fine (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Transavia, a Dutch airline, was fined EUR 400,000 after a hacker accessed its systems due to weak security measures. The breach exposed personal data of 83,000 people, including sensitive medical information for some. This case underscores the need for strong security practices like multi-factor authentication.
What happened
A hacker accessed Transavia's systems through weak security, exposing personal data of 83,000 people.
Who was affected
Passengers whose personal and, in some cases, medical information was exposed in the data breach.
What the authority found
The Dutch DPA fined Transavia for failing to implement adequate security measures to protect personal data, violating GDPR's security requirements.
Why this matters
This ruling stresses the importance of robust security measures, such as multi-factor authentication, to protect personal data. Companies should regularly review and strengthen their security protocols to prevent breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Dutch DPA has fined airline Transavia EUR 400,000. In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia's systems through two accounts held by the company's IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 367 cases, the data included medical information of people who had requested, for example, wheelchair transportation or additional services because they were blind or deaf. The DPA noted that a lack of security measures allowed the hacker to access the systems. Thus, it was possible to access the airline's systems simply by entering the password. The systems did not incorporate multi-factor authentication. Furthermore, the access rights of the accounts were not limited to necessary systems, allowing the hacker to use them to gain access to multiple Transavia systems. The DPA found that Transavia had breached its duty to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.
Related Enforcement Actions (0)
No other enforcement actions found for Transavia in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 November 2021
Authority
Autoriteit Persoonsgegevens
Fine Amount
€400,000
Enforcement Tracker ID
ETid-902
About this data
Cite as: Cookie Fines. Transavia - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: