cybersecurityAirlines · 2020

Transavia Airlines C.V.

Transavia Airlines suffered a 2019 data breach in which hackers compromised employee login credentials and accessed the personal data — names, dates of birth, and flight reservation details — of approximately 25,000 passengers and crew members. The AP found Transavia had failed to implement multi-factor authentication on employee systems with access to passenger records, a standalone violation of GDPR Art. 32 independent of the breach itself. The absence of this basic control was found to have directly enabled the compromise.

Fine Imposed€400,000.0

Authority

Autoriteit Persoonsgegevens

Stylebalanced

Avg. investigation18 mo

View authority profile

Regulation

Algemene Verordening Gegevensbescherming (Dutch GDPR Implementation)

Max fine€20M or 4% of global annual turnover (Tier 2); €10M or 2% (Tier 1)

Statusactive

Key Takeaways

Failure to deploy multi-factor authentication on employee-facing systems containing customer personal data is itself a GDPR Art. 32 technical security failure — adequate security measures must be commensurate with the risk posed by the data held.