The Dutch Data Protection Authority (AP) has imposed a €400.000 fine on Transavia for poor protection of its passengers’ personal data. Due to this poor security, a hacker was able to infiltrate the airline’s systems in 2019. Since then, it has become apparent that the personal data of around 83.000 people were downloaded.
In 2019, Transavia timely reported the data breach to the AP. Additionally, they informed the passengers involved and took the necessary security measures to ensure protection. After getting notified by Transavia, the AP started an ex officio investigation into the security measures taken at the time of the data breach.
Password spraying and credential stuffing
The hacker penetrated Transavia’s systems in 2019, after which he used ‘password spraying’ and ‘credential stuffing’. These methods allow malicious parties to gain access to systems by using commonly used passwords or known user credentials (derived from third-party data breaches). Eventually, successful login attempts were made on two accounts belonging to Transavia’s IT department. The hacker subsequently gained access to a large part of the (critical) systems, from where he copied the personal data to an external location. Transavia managed to fix the data breach in November of that same year.
(Personal) data actually copied and theoretically accessed
In its investigation, the AP distinguished between two categories of personal data:
- Personal data the attacker actually copied to an external location; and
- Personal data to which the attacker theoretically had access.
The hacker downloaded the data of passengers, suppliers and (potential) employees. This amounted to the personal data of approximately 83.000 people, which were then copied to an external location. The data breach furthermore included the medical data of 376 passengers, consisting of additional booked services – such as wheelchair use, deafness or blindness – that were stored by Transavia as SSR-codes (‘’Special Service Request’’). What these codes stand for can be found on the internet and sometimes becomes apparent from the code itself. Therefore, besides ‘normal’ personal data, Transavia also processed special personal data.
At the time of the data breach Transavia processed personal data of approximately 25 million people, in theory the hacker had access to all of this data. According to the AP there are no indications that the hacker actually accessed this data, though the possibility existed. Furthermore, there was cross-border processing, as the personal data originated from individuals in several European countries.
Password policy, multi-factor authentication and access to the system
The AP’s decision shows that Transavia’s security was lacking in three areas.
Firstly, though Transavia had implemented a policy indicating password requirements for each possible risk level the accounts involved in the hack did not meet the company’s own standard. Though one of the accounts was marked internally as highly privileged, the passwords used for both accounts were simple and commonly used which made them easy to hack (automatically). According to Transavia, during internal audits there was no focus on any of the generic accounts used in the hack. For this reason, compliance of the passwords with the company’s policy was never checked. Transavia stated that in their view, the biggest risk existed with user accounts instead of such generic accounts.
Secondly, multi-factor authentication had not yet been implemented for generic accounts. Contrary to the set password policy, in order to gain remote access (access to the online remote working environment) users were only required to log in once.
Lastly, after successfully logging onto Transavia’s systems the hacker had almost unlimited access. The AP concluded that Transavia could have prevented this, for example by dividing the network into different segments. Additionally, user access could have been restricted by awarding every user with specific access rights. Both of the accounts the hacker logged onto had access to unnecessary systems.
The AP’s conclusion
The AP concluded that Transavia had failed to implement several commonly used standards in information security. The company could have substantially mitigated the risk of such a data breach by implementing the aforementioned measures. Since the airline processes large quantities of personal data, some of which are of special categories, the AP concluded that the security measures taken by Transavia were disproportionate to the risk incurred. Therefore, the AP has qualified the data breach as very severe.
Duty to report
In December 2020 the AP imposed a €475.000 fine on Booking.com for the untimely notice of a data breach. This fine did not relate to the security measures taken by Booking.com. It is remarkable that the fine imposed on Booking.com is higher than the one imposed on Transavia, though it was established the latter had failed to implement adequate security measures to prevent a data breach. This illustrates the (maybe greater) importance given by the AP to a timely notice of occurred data breaches.
In theory, the AP has to be notified of a data breach within 72 hours unless it is found unlikely for the breach to pose a risk to the natural persons involved. The implementation of fitting security measures is of great importance in order to prevent a data breach insofar as possible.