Datenschutzbehörde Niederlande verhängt 400.000,- EUR DSGVO-Bußgeld wg. unsicherer Datenverarbeitung

Wie die niederländische Datenschutzbehörde mitteilt, hat sie gegen die Fluggesellschaft Transavia  ein DSGVO-Bußgeld iHv. 400.000,- EUR verhängt, weil das Unternehmen kein hinreichende Absicherung bei seiner Datenverarbeitung vorgenommen hat.

Gegenstand der Thematik ist dabei Art. 32 DSGVO, der vorschreibt, dass der Verantwortliche die hinreichenden technischen und organisatorischen Maßnahmen ergreift, um die erforderliche Sicherheit zu gewährleisten.

Hiergegen habe das Unternehmen, so die Behörde, verstoßen:

"The hacker broke into Transavia’s systems in September 2019 using two of the company’s IT department accounts.

There were three security flaws that made it simple for the hacker to do this:

  • The password was easy to guess.
  • Only the password was needed to enter the system. There was no multi-factor authentication in place requiring a person or system to provide two or more verification factors to gain access, such as a password and a code sent by text message.
  • Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This is because the access rights connected to these accounts were not restricted to necessary systems only."

Insgesamt waren von dem Angriff 25 Millionen Datensätze betroffen. Heruntergeladen wurden nach den Erkenntnissen jedoch nur ca. 83.000 Datensätze.

"The hacker had access to the personal data of 25 million passengers, including names, dates of birth, gender, email addresses, telephone numbers, flight information and booking numbers.

There is no evidence that the hacker actually viewed or copied all of this data, but he could have because of the poor security.

The hacker did, however, download the personal data of around 83,000 people, including a list of passenger data from 2015 containing names, dates of birth and flight information.

The data also included medical information of 367 people who had for example requested to take a wheelchair with them or additional services because they were blind or deaf."