Blog details

Poor personal data security by Dutch airline leads to a fine

Poor personal data security by Dutch airline leads to a fine

Poor personal data security leads to a fine from the Dutch DPA, after security flaws cause a major hack.


An airline has recently been hit with a €400,000 fine from the Dutch DPA following a major hack, attributable to poor data security. The airline Transavia suffered a hack of two accounts in the company’s IT department, giving a hacker potential access to the personal data of over 25 million passengers. An assessment has since revealed that the personal data of 83,000 passengers was downloaded by the hackers.


There were three security flaws which made the company more susceptible to easily being hacked.


Hackers were able to download the personal information of 83,000 passengers from this airline’s database. This was made very easy due to three security flaws, the first of which was the use of very simple passwords which were evidently easy to guess. In addition, there was no multi-factor authentication in place, meaning that the one password was all that was needed to access those accounts. To further compound the situation, the access rights for these two accounts were not limited to what was necessary, making several of the company’s systems available to the hackers once they gained access to those two accounts.


This situation has been taken very seriously and highlights the importance of maintaining robust security systems and measures. In this case, the hacker was able to access the personal data of millions, simply by breaking into the system with a very simple password. One of those passwords was one that for years has been at the top of the list of most-used passwords, for example “123456”, “Welcome” and “password”.’


The personal data of 83,000 people was downloaded, including health data of 367 people.


Once the hacker gained access to those two accounts in Tansavia’s IT department, they gained access to the personal data of 25 million people which included their names, dates of birth, gender, email addresses, telephone numbers, flight information and booking numbers. The information downloaded related to 83,000 people, including a list of passenger data from 2015 containing names, dates of birth and flight information. The data also included the health information of 367 people who needed to request special considerations like wheelchairs due to health issues.


The Dutch DPA has reported an uptrend in data theft in recent times.

The data breach which led to this international investigation was but one of numerous attacks recorded in recent years. From September to November 2019, these hackers had access to Transavia’s accounts and were stealing personal information. In 2020, the Dutch DPA recorded an increase of 30% in the number of hacks reported, majority of them with the aim of stealing data. The authority has advised that data theft can be avoided by improving security measures.




Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
Multa a una compañía aérea holandesa por sus insuficientes medidas de seguridad
November 16, 2021
Next post
El Tribunal Supremo de Reino Unido frena una demanda colectiva sobre privacidad contra Google
November 18, 2021

Leave a Comment