Transavia Airlines (HV, Amsterdam Schiphol) will have to pay a fine of EUR400,000 euros (USD452,000) for failing to properly protect passengers’ personal data, the Dutch Data Protection Authority (DPA) has announced in a statement.

Due to this “poor security”, a hacker was able to break into Transavia’s systems two years ago, in which he could have potentially gained access to the data of 25 million passengers, though it has since been determined that he actually downloaded the personal data of 83,000 people.

The KLM Royal Dutch Airlines low-cost subsidiary, part of Air France-KLM, has not objected to the fine and it is now final. Transavia did not immediately respond to ch-aviation’s request for comment.

The hacker broke into Transavia’s systems in September 2019 using two of the company’s IT department accounts. According to the authority, there were three security flaws that made it simple. The password was easy to guess. Only the password was needed to enter. And there was no multi-factor authentication in place needing two or more verification factors to gain access.

Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This was because the access rights linked to the accounts were not restricted to necessary systems only.

The airline itself reported the data breach to the authority “in time” and informed the parties involved, the DPA recounted. The carrier “immediately took many measures to better protect personal data” and launched an investigation, concluding that the health data of passengers and contact details of employees had fallen into the hands of a “malicious third party.”

“When you book a flight, you entrust your personal data to the airline. The airline needs this information to organise your flight. But your data is also useful to criminals who can use it to steal your identity or try to trick you into giving them money through, for example, WhatsApp fraud,” Katja Mur, member of the DPA board, stressed in the statement released on November 12. “So you need to be able to rely on the airline to handle your data with care and make sure it is well secured. Transavia failed to do that.”

The investigation was international in nature, as Transavia serves customers from many countries.

The DPA warned in a 2020 report on data breaches that there had been “a dramatic increase” in the number of hacks aimed at stealing personal data; the number of hacks reported in 2020 was 30% higher than in 2019. But data theft can often be prevented by improving security measures, the authority emphasised.