Transavia Airlines C.V. – €400,000 Fine (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Transavia Airlines was fined €400,000 after hackers accessed its systems and stole personal data of passengers, employees, and others. The breach exposed sensitive information, including health data, due to weak password security. This case underscores the importance of strong cybersecurity measures to protect personal data.
What happened
Hackers accessed Transavia's systems and stole personal data due to weak password security.
Who was affected
Passengers, employees, suppliers, and job applicants whose data was compromised.
What the authority found
The Dutch authority fined Transavia for failing to protect personal data adequately, violating GDPR's security requirements.
Why this matters
This fine highlights the critical need for companies to implement robust security measures, such as strong passwords, to safeguard personal data. Businesses should regularly review their cybersecurity practices to prevent similar breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
In Oktober 2019, a malicious third party gained unauthorized access to (personal data contained in) the systems of Transavia Airlines C.V., which led to a data breach. In order to limit the damage and to determine what happened, Transavia engaged an external service provider to conduct a root-cause-analysis. Circumstances of the breach: By using (i) an automated method in which frequently used passwords are tried in a short time (password spray) and (ii) known user data from previous third-party data breaches (credential stuffing), the attacker succeeded in infiltrating Transavia's systems. The generic user account that was used to gain unauthorized access had the highest privileges on certain domains of the system and was used as a link between Transavia's HR system and the Active Directory. This allowed the attacker to explore the systems and take a targeted approach by taking the following actions: * On certain systems, log files were deleted to remove traces; * Through a penetration test, the user was able to find vulnerabilities in the IT landscape of Transavia; * Copying network documentation, business and other miscellaneous documents and six mailboxes Impact of the breach: a) Impacted data subjects: the personal data that had been compromised belongs to passengers, employees, suppliers and job applicants. The forensic report of the external service provider showed that approx. 80,000 passengers, approx. 3,000 employees, 200 suppliers and 10 job applicants were impacted by the breach b) Sensitive data: In addition to contact details of data subjects, the attacker also had access to sensitive data of the passengers. By using SSR codes (Special Service Request), Transavia tries to adapt its services to the needs of the passenger. From these codes, sensitive personal data (health data) can be indirectly derived (i.e., wheelchair user, blindness, or deafness). The forensic report showed that the health data of 367 people was leaked. Notification to data subject
Related Enforcement Actions (0)
No other enforcement actions found for Transavia Airlines C.V. in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
23 September 2021
Authority
Autoriteit Persoonsgegevens
Fine Amount
€400,000
GDPRhub ID
gdprhub-4328About this data
Cite as: Cookie Fines. Transavia Airlines C.V. - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: