[TheRecord] Transavia airline fined for weak security practices that led to data breach

The Dutch Data Protection Agency has levied a €400,000 ($455,000) fine today against Transavia, a Dutch airline that operates low-cost routes across Europe, for a security breach that allowed a hacker to steal the personal details of more than 83,000 passengers.

The fine pertains to a security breach that Transavia publicly disclosed in February 2020.

Breach could have affected 25 million passengers

But in a press release today, the DPA said that after an investigation into the incident, the agency ruled that the airline was at fault.

Dutch officials said that Transavia used weak security practices, such as easy-to-guess passwords and no two-factor authentication (2FA), which allowed a hacker to gain control over the accounts of two of its IT staff employees.

From these accounts, the hacker stole a file with the personal details of 83,000 passengers that traveled with the airline between January 21 and January 31, 2015.

Stolen data included passenger first names, last names, dates of birth, flight details, booking numbers, and additional services purchased by passengers, such as extra luggage or medical assistance costs.

The DPA said that for 367 passengers, these extra costs revealed if the passengers were physically impaired, such as needing to board with a wheelchair or if the passengers needed help because they were blind or deaf.

But while the actual data stolen by the hacker was small in size, the DPA said that the same Transavia employee accounts that the hackers hijacked also had access to systems that housed the details of more than 25 million airline customers.

“There are no indications that the hacker also viewed or copied this data, but the possibility was there due to the poor security,” the DPA said today in a press release announcing the fine.

Transavia used simple passwords, no 2FA

“It is very serious that a hacker could have access to the personal data of millions of people by entering the system with a very simple password,” said DPA board member Katja Mur.

“Truly a password that has been at the top of lists of most used passwords for years, along the lines of ‘123456,’ ‘Welcome’ and ‘password’,” she added.

“And not only that: other important barriers to make it difficult for a hacker were also missing,” Mur said.

A Transavia spokesperson did not return a request for comment.

Earlier this year, the same DPA also fined hotel booking website Booking.com €475,000 ($560,000) for reporting a 2018 security incident 22 days after it happened, in breach of EU GDPR regulations that dictate that all breaches must be disclosed within 72 hours.

On Wednesday, Dutch TV station NCR reported that the same Booking.com was also hacked by a US intelligence contractor in 2016, who stole reservation details for hotels in the Middle East.

The post Transavia airline fined for weak security practices that led to data breach appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] New FinSpy Malware Variant Infects Windows Systems With UEFI Bootkit

All posts, HackerNews

Commercially developed FinFisher surveillanceware has been upgraded to infect Windows devices using a UEFI (Unified Extensible Firmware Interface) bootkit using a trojanized Windows Boot Manager, marking a shift in infection vectors that allow it to elude discovery and analysis. Detected in the wild since 2011, FinFisher (aka FinSpy or Wingbird) is a spyware toolset for Windows, macOS, […]

Read More

[SecurityWeek] Salt Security Raises $70 Million in Series C Funding

All posts, Security Week

Palo Alto, California-based API protection company Salt Security today announced that it raised $70 million in Series C funding, which brings the total raised to date to $131 million. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SANS ISC] Pivoting and Hunting for Shenanigans from a Reported Phishing Domain, (Wed, Aug 4th)

All posts, Sans-ISC

I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institution’s actual page and had input fields for victims to input their credentials. Fortunately, it was taken down quickly. However, I was unable to do […]

Read More