The Personal Data Authority (AP) has fined Transavia a fine of €400,000, for poorly securing its passengers' personal data. Because of this poor security, a hacker managed to penetrate the airline's systems in 2019. It has since been established, that in the process, personal data of some 83,000 people were downloaded.
Transavia timely reported the data breach to the AP in October 2019. It also informed the data subjects and the necessary measures were taken to put the security in order. After Transavia made the notification, the AP conducted an ex officio investigation into the security measures taken at the time of the data breach.
The hacker penetrated Transavia's systems in September 2019, then used "password spraying" and "credential stuffing. In such attacks, a malicious party uses commonly used passwords or known user credentials (derived from third-party data breaches), in order to gain access to a system. Eventually, successful login attempts took place on two accounts of Transavia's IT department. This gave the hacker access to a large part of the (critical) systems, where he copied personal data to a remote location. The leak was plugged again by Transavia at the end of November of the same year.
In its investigation, AP distinguished between two categories of personal data. Namely, (i) the personal data that the attacker actually copied to a remote location and (ii) the personal data that the attacker theoretically had access to.
The hacker downloaded the passenger, supplier and (potential) employee data of approximately 83,000 individuals and then copied this data to a remote location. Medical data of 367 passengers was also leaked, consisting of additional booked services stored by Transavia as SSR ("Special Service Request") codes. These codes refer, for example, to wheelchair use, deafness and blindness. The meaning of the SSR codes can be found on the Internet and in some cases is apparent from the code itself. In addition to 'ordinary' personal data, Transavia also processed special personal data.
In total, Transavia was processing personal data of about 25 million people at the time of the data breach. Therefore, to this personal data, in theory, the hacker had access. According to the AP, there are no indications that the hacker actually accessed this data, but that possibility did exist. Furthermore, there was also cross-border processing, as the personal data came from individuals in multiple European countries.
The fine decision states that Transavia's security was not in order on three points. First, Transavia has a password policy which specifies the requirements for each possible risk level. The accounts involved in the hack did not meet Transavia's own standards. This, while one of those accounts within the systems was designated with highest privileges. The passwords used for both accounts were simple and commonly used, making them easy (automated) to guess. The generic accounts used in the hack were not the focus of internal controls, according to Transavia. Therefore, there was no check to see if these passwords complied with the company's own password policy. Transavia indicated that in its view, the greatest risk was with the user accounts, and not with such generic accounts.
In addition, with respect to these generic accounts, Transavia had not yet implemented multi-factor authentication. Unlike the password policy required, remote access (access to the online remote work environment) only required users to log in one way before accessing the systems.
Finally, the hacker - after successfully logging in - had many freedoms within Transavia's systems. AP ruled that this could have been prevented. For example, Transavia could have divided the network into different segments. It could also have linked access to users' access rights. For example, the two accounts in question that the hacker logged into also had access to non-emergency systems.
AP therefore concluded that Transavia had (partially) failed to implement commonly used information security standards. Had it done so, it could have substantially reduced the risk of a data breach occurring. Moreover, the airline processes a large amount of personal data, including special personal data. This contributes to the judgment that Transavia's security at the time of the data breach was not adequate given the risk. AP therefore qualifies the breach as very serious.
In December 2020, the AP imposed a fine of €475,000 to Booking.com for late notification of a data breach. This fine was not related to Booking.com's security measures. It is therefore striking that the fine for Booking.com is higher than that for Transavia, while the latter had not implemented adequate security measures to prevent data breaches. This illustrates that the AP attaches great (or even greater?) value to the timely reporting of a data breach.
In principle, a data leak must be reported within 72 hours, unless it is likely that the data leak does not pose a risk to the natural persons involved. The implementation of appropriate security measures is important to prevent such a leak as much as possible.
