Transavia fined €400,000: personal info of 25M passengers exposed in data breach

2 years ago, a Dutch low-cost airline Transavia has been hit by a data breach, a hacker easily accessed the personal information about 25 million of airline's passengers. Due to the low level of user data protection, the Dutch Data Protection Authority (DPA) fined Transavia by 400,000 euros.

In a press release published on its official website, DPA reported that, as a result of Transavia's poor security, the personal data of 83 thousand passengers actually downloaded by hacker, and he also had access to the private info of 25 million passengers.

The cybercriminal broke into airline’s network in September 2019 using 2 of the Transavia’s IT department accounts.

There were 3 security flaws that made it easy to hack Transavia:

Simple password to guess.
Easy one-factor authentication - knowing the password, everyone can access the network. To protect systems, IT experts usually use multi-factor authentication, which includes, for example, sms verification to gain access where a code sent by text message.
Once the hacker obtained control over the two Transavia’s IT department accounts, he also had access to multiple systems of the airline.

Therefore, according to DPA, the Dutch low-cost airline will be fined 400,000 euros due to poor personal data security.

Katja Mur, member of the DPA board, commented on the Transavia's cyber incident.

When you book a flight, you entrust your personal data to the airline.

The airline needs this information to organise your flight. But your data is also useful to criminals who can use it to steal your identity or try to trick you into giving them money through, for example, WhatsApp fraud.

So you need to be able to rely on the airline to handle your data with care and make sure it is well secured. Transavia failed to do that.