AP (The Netherlands) - 23.09.2021

From GDPRhub
Revision as of 17:08, 12 December 2023 by Ar (talk | contribs) (Ar moved page AP (The Netherlands) - Transavia Airlines C.V. to AP (The Netherlands) - 23.09.2021)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AP (The Netherlands) - Transavia Airlines C.V.
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 34 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 23.09.2021
Published: 12.11.2021
Fine: €400,000
Parties: Transavia Airlines C.V.
Autoriteit Persoonsgegevens
National Case Number/Name: Transavia Airlines C.V.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Transavia Airlines C.V. (in NL)
Initial Contributor: Matthias Smet

The Dutch DPA (AP) imposed a fine of €400,000 on Transavia Airlines C.V. for not having taken appropriate technical and organisational measures, which led to a (sensitive) data breach, in violation of Article 32(1) and Article 32(2) GDPR

English Summary


In Oktober 2019, a malicious third party gained unauthorized access to (personal data contained in) the systems of Transavia Airlines C.V., which led to a data breach. In order to limit the damage and to determine what happened, Transavia engaged an external service provider to conduct a root-cause-analysis.

Circumstances of the breach:

By using (i) an automated method in which frequently used passwords are tried in a short time (password spray) and (ii) known user data from previous third-party data breaches (credential stuffing), the attacker succeeded in infiltrating Transavia's systems.

The generic user account that was used to gain unauthorized access had the highest privileges on certain domains of the system and was used as a link between Transavia's HR system and the Active Directory. This allowed the attacker to explore the systems and take a targeted approach by taking the following actions:

  • On certain systems, log files were deleted to remove traces;
  • Through a penetration test, the user was able to find vulnerabilities in the IT landscape of Transavia;
  • Copying network documentation, business and other miscellaneous documents and six mailboxes

Impact of the breach:

a) Impacted data subjects: the personal data that had been compromised belongs to passengers, employees, suppliers and job applicants. The forensic report of the external service provider showed that approx. 80,000 passengers, approx. 3,000 employees, 200 suppliers and 10 job applicants were impacted by the breach

b) Sensitive data: In addition to contact details of data subjects, the attacker also had access to sensitive data of the passengers. By using SSR codes (Special Service Request), Transavia tries to adapt its services to the needs of the passenger. From these codes, sensitive personal data (health data) can be indirectly derived (i.e., wheelchair user, blindness, or deafness). The forensic report showed that the health data of 367 people was leaked.

Notification to data subjects:

Fulfilling its obligations laid down in Article 34 GDPR, Transavia identified and notified in total 81,000 data subjects, as there may have been a high risk to the rights and freedoms of these data subjects.


As a result of the notification of the data breach, the DPA decided to investigate whether sufficient appropriate technical and organizational measures were in place at the time of the data breach. This investigation showed that Transavia did not respect Article 32(1) and Article 32(2) GDPR by not taking the appropriate technical and organizational measures.

First, the DPA considered that the passwords used, were considered as 'weak'. The DPA was informed that there is a password policy in which the requirements are stated per user profile. However, the DPA determined that the passwords used by the (generic accounts) in the attack did not meet these prescribed requirements. The reason for this was an incorrect risk assessment by Transavia (Transavia expected that the chance of a successful password spray attack or credential stuffing attack was greater with user accounts than generic accounts). Second, there was no well-implemented multi-factor-authentication (MFA). It was possible to access the CITRIX environment without MFA. Based on the above-mentioned risk assessment, Transavia decided to go for a phased roll-out of the MFA implementation, since the company asserted that these accounts had the highest priority. This means that, at first, MFA was merely to be implemented at user accounts, and later at the generic accounts. As a result, the multi factor authentication was not yet implemented for generic accounts at the time the data breach occurred

Third, the DPA considered the absence of network segmentation. This is the division of the network into functional segments. With network segmentation, only the systems that need to communicate with each other are placed together in separate segments, and users only get access to the segments they need. Taking this basic preventive measure lowers the chance of unauthorized access drastically. Fourth, the DPA considered the fact that certain log-files were removed, which made it considerably harder to have a complete image of the data breach, after it occurred. Although Transavia worked together with an external company, specialised in IT-security, which could track suspicious behaviour, inter alia, because activity was being logged, certain critical logging was not undertaken and it was also possible to remove certain log-files. Besides the fact that above-mentioned security measures were already the norm, the implementation costs were also not considered to be that high.

Then, the DPA considered that, the more widely the data is processed and the more sensitive it is, the greater the demands placed on data security. Now, Transavia engages in large-scale processing: the attacker had access to systems containing data of approx. 25 million passengers. Moreover, a part of this is also sensitive, since it is health data. Lastly, the DPA considered the risk of varying likelihood and severity for the rights and freedoms of natural persons. It concluded that this risk is particularly high since the malicious use of the personal data could have led to material and immaterial damage of affected data subjects.

In view of the lack of appropriate technical safeguards which were already the norm, the low implementation costs, the large-scale processing, and the fact that also sensitive data was exposed in the breach, the DPA imposed an administrative fine of €400,000 on Transavia Airlines for violation of Article 32(1) and Article 32(2) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                       AuthorityPersonal Data
                                                       PO Box93374,2509AJ The Hague

                                                       Bezuidenhoutseweg30,2594AV The Hague
                                                       authority data.nl

with regard to the management

Date Unidentified
September 23, 2021 [CONFIDENTIAL]




Dear Sir / Madam,

The Data Protection Authority (AP) has decided to impose an administrative fine on TransaviaAirlinesC.V
of €400,000. The AP has come to the conclusion that Transavia is not an appropriate
has taken measures to ensure a security level appropriate to the risk
Transavia has acted contrary to article 32, first stone, second paragraph, of the General Ordinance

data protection.

The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the facts.
controller of the violation. Chapter 4 discusses the (height of) administrative

fine elaborated and chapter 5 contains the operative part and the remedies clause.

                                                                                           1Date Unidentified

September 23, 2021 [CONFIDENTIAL]

1 Introduction

1.1Involved organization

This decision relates to TransaviaAirlines CV (hereinafter: Transavia), with its registered office at the Piet
Guilonardweg15,1117EEteSchiphol.The company is registered in the trade register under
number:34069081. As anairlineprovidesTransaviaflightsforbusinesstravellers
consumers within Europe.

On 24 October 2019, the AP received a report from Transavia about a security breach
of personal data as referred to in article 33 of the AVG.In this notification is indicated by Transavia
that a malicious party has had unauthorized access to Transavia systems. To
As a result of this, the AP officially investigated whether the technical measures at Transavia met
with regard to access to personal data, which are appropriate as referred to in article 5, paragraph 1, sub f jo.

at Transavia, as well as the rights and possibilities that these user accounts had within the
systems of Transavia.

1.2Process flow

On 28 November 2019, the AP contacted Transavia by telephone about the data leak report
of 24 October 2019 and subsequent notifications. AP supervisors then have
requested information several times from Transavia on which Transavia has supplied this information.

By letter dated 12May2021, the AP has sent Transavia an intention to enforcement and it

report with findings based on this. Transavia has written this on 28 June 2021
point of view.

1See File 26, Registration Trade RegisterTransaviaAirlinesC.V.

                                                                                         2/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]


2.1 The infringement at Transavia

In the data leak report of October 24, 2019, Transavia has indicated that an evil will end the parti2
(hereinafter also: 'attacker') has had unauthorized access to Transavia systems. transaviais
according to the report found here on 21 October 2019. Transavia then has an external

service provider enabled and together with this service provider is the attacker of the systems of
Transavia was excluded. Furthermore, the external service provider has analyzed which systems were affected
and which data were involved.

It is described in the report prepared by the external service provider (hereinafter also: 'forensic report')
that an attacker has used [CONFIDENTIAL] email addresses. These addresses are
possible to find on the 4 internet. The attacker tried to gain access to the

The attacker used a “password spray” or “credential stuffing” attack.
spray”attackusesan attackeroftenusedpasswordsomanautomatedway
gain unauthorized access.In “credentialstuffing” attack, an attacker uses known

user data (from other third-party data leaks) to try to access
a system.

On September 12, 2019 at 9:52 am, a successful login attempt was made by the attacker.
this login could be used by the attacker of the [CONFIDENTIAL] user. This is a user who
was used for [CONFIDENTIAL].

With the [CONFIDENTIAL] user it is possible to access a Citrix environment of

Transavia.Citrixis software that makes it possible to work from home. Then it is possible to 7
possible[CONFIDENTIAL] users in the [CONFIDENTIAL] domain.

The attacker then succeeded in getting the authentication data from the user

 TransaviaFranceS.A.S.(sister company of Transavia) has reported separately to the French regulator according to the
data leakreportof24october2019becausesmokingpersonaldatawouldbeinvolvedwhereTransaviaFranceS.A.S
is responsible for. See File 1, notification of 24 October 2019.
3See File 11, report of 5 December 2019, page 21.
achievements in an organization.
5See File 11, report of 5 December 2019, page 21.
6See File 25, Transavia's answers, date 26 May 2020.
 SeeFile 11, report from December 5, 2019, page 21. A network domain is a group of computers (systems) within a

                                                                                                   3/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

had, according to Transavia, “the highest-level privileges in the [CONFIDENTIAL]”. Basically this means that the
accounts[CONFIDENTIAL]and[CONFIDENTIAL]jointly provided access to a large part of
the computer network of Transavia. The role of the account was intended to serve as a link
between Transavia's HR system and Active Directory (to determine which employees
rights to systems). ActiveDirectory is a service from Microsoft which (among others)
is used to manage user rights.

Then the attacker explored the systems of Transavia that are part of the domain
exploration phase,iser (probably automated) logged into [CONFIDENTIAL] systems. at 11

has been able to determine on [CONFIDENTIAL] systems that there are data that are
copied. The attacker might have been interested in accessing [CONFIDENTIAL]. Access here
obtain,however failed. This is also confirmed by Transavia. 14

The attacker has at least [CONFIDENTIAL]systems[CONFIDENTIAL]logs
deleted. 15

The attacker has continued to use [CONFIDENTIAL] software.This Penetration Test

software that is intended to find vulnerabilities in an IT landscape. The external service provider
at least [CONFIDENTIAL] systems found clues to this. On 21 October 2019 is
This type of attack was noticed by the administrator, the administrator has investigated.After October 21
In 2019, no more activities have been observed from the attacker.

Based on this alert, Transavia on October 22, 2019 is an external service provider
enabled (not the administrator). The external service provider has performed a forensic analysis. Off

the analysis showed that the majority of the attacker's activities were aimed at
reconnaissance activities.However, the following data has been copied: Network documentation,
business and various other documents as well as six mailboxes. 17

Transavia [CONFIDENTIAL] systems have been labeled critical

[CONFIDENTIAL]. On one of the critical systems, the [CONFIDENTIAL], are certain

log files removed. This made less evidence about water happening to this system on this system
system. 18

8See File 38, Replies from Transavia date September 24, 2020.
 See File 11, report of 5 December 2019, page 21.
10See File 25, Transavia's answers, date 26 May 2020.
1See File 11, report of 5 December 2019, page 21.
12See File 11, report of 5 December 2019, page 26.
13See File 11, report of 5 December 2019, page 25.
  See File 25, Transavia Answers, date 26 May 2020.
15See File 11, report of 5 December 2019, page 23.
16See File 11, report of 5 December 2019, page 25.
17See File 11, report of 5 December 2019, page 4.
18See File 11, report of 5 December 2019, page 17.

                                                                                                           4/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]

On November 22, 2019, Transavia instructed the external service provider to check the mailboxes

investigations copied by the attacker in this breach to a remote location
the study concerned data in six mailboxes: five employee mailboxes and one of
an ex-employee. In the mailboxes, 49 files with personal data were present. This
According to Transavia(name), mailboxes were in use by [CONFIDENTIAL] employees. 20

These files were then analyzed and based on this it was decided to make a statement to

81,000 data subjects, as required in article 34 of the GDPR, the submitter may imply a high
risk. This group of stakeholders consisted of Transavia employees and Transavia customers
employees whose mailboxes had been copied had already been informed verbally according to

transavia. 22

Transavia indicates that since November 25, 2019, the attacker definitively no longer had access to the IT
landscape of Transavia. This is also confirmed by the external service provider. 24

In summary, an unauthorized third party has had access to Transavia systems

access was possible to use a user with many rights, giving the attacker a lot of
had capabilities within these systems

personal data copied to a remote location.

2.2 Type of data

There are two groups to distinguish personal data in this breach: (1) personal data that the

attacker copied to a remote location and (2) data value attacker access to

2.2.1Personal datacopiedtoaremotelocation

The following data, which were in the mailboxes, were copied by the attacker
(excluding the file names):


19See File 25, Replies from Transavia, date May 26, 2020–Appendix 2: Research report mailboxes.
20See File 25, Replies from Transavia, date May 26, 2020.
21File piece13,Press releaseTransavia.
23File piece2, Follow-up from November 22, 2019.
  See File 25, Transavia Answers, date 26 May 2020.
24See File 11, report of 5 December 2019, page 4.
25File document25,RepliesfromTransavia,dateMay 26,2020 –Appendix3:Explanationtoappendix2.

                                                                                                          5/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]











The table above shows that passenger, supplier and (potential) employee data
have been copied. Transavia has stated that this concerns about 80,000 passengers. were also in
multiple files, the data of up to 3000 employees and up to 200 suppliers. 27

Passengers are involved: first and last name, date of birth, flight information and SSR code. From

one passenger is concerned with an address and telephone number


Involved: business e-mail addresses, first and last name, address, e-mail address, telephone number.

26See File 25, Transavia's answers, date May 26, 2020.

27See File 25, Transavia's answers, date May 26, 2020 – Appendix 3: Explanation of Appendix 2.

                                                                                                                  6/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

It also appears that up to 10 CV files of potential employees are involved.
and last name, address, e-mail address, telephone number and date of birth.

In the notification to the concerned passengers (80,000) that Transavia has sent, Transaviade reports

following data involved: first name, last name, date of birth, flight details, booking number
and the extra booked service such as luggage, but also wheelchair use. Furthermore, Transavia indicates that the
concerned employees are also informed. 29

The associated services were described as SSR code. SSR code stands for “SpecialServiceRequest”

code.Transavia uses a 4-character string in their booking system for additional requests, such as
a bicycle as luggage. The SSR code is then “BIKE”. These codes can be found on the internet through which the
meaning is known, if not already clear from the code.

The AP asked Transavia which SSR codes Transavia used in what numbers

Transavia's used codes indicate, among other things, when a wheelchair is needed, or when a passenger
for example, used an electric wheelchair
blessing meals are provided during the flights.

In the files that were copied to a remote location came codes that indicate wheelchair use
358 times. A code indicating blindness also occurred five times. Deafness occurred four times. 33

According to Transavia, the passenger data were collected in the period from 21 to 31 January
2015. The data was located in a mailbox on “manageddevicesofemployees”. These are managed 35

devices, mostly mobile devices such as telephones or laptops. The employees involved were

2.2.2Personal data to which access was possible

Below is an overview of the systems value users [CONFIDENTIAL] and
[CONFIDENTIAL] shared access. The title 'host' in this case means the name of the

system.The column“Datafromseen/Exfiltrated”indicatesifafterlogintothesystemstill
otheractions have been observed.SubmitterbyTransavia“no”isdisplayedisonlylogged in
according to Transavia.

28See File 38, Replies from Transavia date September 24, 2020.
  See File 12, Follow-up notification of February 18, 2020.
30See File 38, Replies from Transavia date September 24, 2020.
31See for example: https://wheelchairtravel.org/air-travel/special-service-request-codes/,or
32See File 38, Replies from Transavia date September 24, 2020.
  File38,RepliesfromTransaviadate24September2020-Appendix5:OverviewnumbersSSR codes.
34See File 13, Transavia press release.
35See File 25, Replies from Transavia, date May 26, 2020.
36File piece25,Transavia Answers,dateMay 26,2020 –Appendix 4:HostenPersonal data.
37See File 25, Transavia answers, date 26 May 2020.

                                                                                                            7/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]





                                                                                                              8/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]








                                                                                                                9/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

It appears from the above tables that the following data is processed for passengers: the front and

surname, date of birth, gender, e-mail address and telephone number, flight and
booking data and (business) e-mail correspondence.

Employees are first and last name, gender, date of birth, employee number,

the home address, the telephone number, the qualifications/training, social security number, the attendance records and
login data is processed. Furthermore, it is mentioned in the overview that a system reports about
safety incidents were found on board. This may also contain employee data

and passenger involved.

In total, for passengers, up to 25,000,000 persons involved are mentioned in the supplied overview
employees are named up to 3000 data subjects. This means that the attacker's personal data

has seen or could have seen of 25 million people.

The amount of activity of the attacker is split into the following by the external service provider




All the systems mentioned are [CONFIDENTIAL]. On[CONFIDENTIAL]systems
actual evidence found for copying personal data. System [CONFIDENTIAL] is
marked as critical by Transavia because of the amount of data. On this system there was
both talk of [CONFIDENTIAL].

On the system [CONFIDENTIAL], evidence for the attacker's activities was more limited than with
other systems, because log files were missing for the relevant period of the breach. Further is 40

the system [CONFIDENTIAL] marked as critical because of the amount of data on this
system. On this system there was talk of [CONFIDENTIAL].

In the notification to the AP, Transavia has indicated that the persons involved come from several

countries, namely all of Europe. The AP has requested Transavia to have an overview from which country the
those involved.Transavia has replied that 90% of customers come from the Netherlands,
based on the PointofSale. Only a limited number of sister company data
TransaviaFranceS.A.S.were present on the systems of TransaviaAirlinesC.V.

39ieFile piece11, report of 5 December 2019, page 19.
  See File 11, report of 5 December 2019, page 17.
4See File 11, report of 5 December 2019, page 4.
4See File 25, Transavia's answers, date 26 May 2020.
4See File 38, Replies from Transavia date September 24, 2020.

                                                                                               10/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]

The AP concludes that Transavian processed more than data at the time of the infringement
25millionpersons.Of these,personaldatafromupto83,000personsand
health data of 367 persons.

2.3 Security at the time of the infringement

2.3.1 Accesstothe[CONFIDENTIAL]domain

Transavia's password policy indicates which requirements apply per user, per possible
risk level. Transavia's password policy lists 3 levels:
           “Minimal Baseline”, the default level;

           “MediumAdditions”, additional measures for users with more privileges;
           “MediumandHighadditions”,extrameasuresforcertainhigh-riskusers.

According to Transavia, the users used by the attacker had the following levels: 45

             [CONFIDENTIAL]hadallevel:minimalbaseline
             [CONFIDENTIAL]hadlevel: MediumandHighsecurityadditions

The third-party service provider has indicated that the [CONFIDENTIAL] users “contained the highest
possible privileges”.

A user with a minimum baseline has the following password requirements according to the password policy: 46

             [CONFIDENTIAL]
             [CONFIDENTIAL]

             [CONFIDENTIAL]
             [CONFIDENTIAL]
             [CONFIDENTIAL]

For High Security Additions, the following additional requirements apply:
             [CONFIDENTIAL]

             [CONFIDENTIAL]
             [CONFIDENTIAL]
             [CONFIDENTIAL]

             [CONFIDENTIAL]
             [CONFIDENTIAL]
             [CONFIDENTIAL]

             [CONFIDENTIAL]
             [CONFIDENTIAL]

4File piece25,RepliesfromTransavia,dateMay 26,2020 –Appendix1: Personnel&AccessControlStandard.
4See File 25, Transavia's answers, date 26 May 2020.
4See File 25, Replies from Transavia, date May 26, 2020 – Appendix 1: Personnel&AccessControlStandard.
4See File 25, Replies from Transavia, date May 26, 2020 – Appendix 1: Personnel&AccessControlStandard.

                                                                                           11/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]

Transavia distinguishes two types of user accounts: “user accounts” and “generic accounts”. The“user
accounts”relate toindividualpersons.The“genericaccounts”areformultiplepersonsor

systems, including for links between systems. Logging in to these users often finds
automatic place according to Transavia. 48

The AP asked Transavia why the accounts involved in the infringement did not comply
to Transavia's own standards. In its reply, Transavia indicates that the focus was on “user

accounts” when it comes to password policy compliance. These are proportionally more accounts and more
it was considered that the master risks would arise from this. Transavia has also indicated that these

approaching “awareness” would increase within the organization. Because of this focus, the 49 shortcomings
for the generic accounts involved in the breach have not been noticed.

The password policy also states that “remote access” requires more factor authentication. from
the report shows that this was not the case for the users that the attacker can access
Accessing a Citrix environment without multi-factor authentication

service provider gives as one of the recommendations to Transavia the implementation of
multi-factor authentication for users whose accounts are accessible from the internet or from anyone
case for users with many rights. Citrix itself also recommends multi-factor authentication for it
use of their application. 52

The AP asked Transavia why access was possible to a teleworking environment without
using multi-factor authentication on the accounts involved in the breach. 53

In response, Transavia indicated that the “user accounts” first started the roll-out of

expected.In their work, flight crews use applications that are necessary for
a safe flight. If a measure such as multi-factor authentication would cause a delay,
this could cause major flight delays. “Generic Accounts” had lower priority with

Transavia.Because the implementation by the flight crew was delayed, the implementation was at the
“generic accounts” also delayed. 54

48See File 38, Replies from Transavia date September 24, 2020.
49SeeDossierstuk38, RepliesvanTransaviadate24September2020.
50See File 25, Replies from Transavia, date May 26, 2020 – Appendix 1: Personnel&AccessControlStandard.
5See File 11, report of 5 December 2019, page 21.
52SeeFile document40, Citrixbestpractices,9April2019.
54File piece30,LetterAPtoTransaviafrom4September2020.
  See File 38, Reply from Transavia date September 24, 2020.

                                                                                                       12/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]

The AP asked Transavia whether periodic checks were made of the security policy and
actual implementation of this. Transavia has indicated that several periodic checks
take place:
         [CONFIDENTIAL] 56

         [CONFIDENTIAL]
         [CONFIDENTIAL]

The [CONFIDENTIAL] check also specifies that for privileged accounts (accounts with
many access rights) there must be a check whether the passwords comply with the policy of
transavia. Transavia has provided the results of a [CONFIDENTIAL] as an example of this

audit of 2019, quarter 3. The findings refer to the period of 12 months prior to the survey.
This indicates positive and negative results. For multiple systems, it indicates that
the passwords did not comply with Transavia's policy. 58

The AP determines that the passwords used in the attack did not meet the requirements of the

password policy of Transavia. Also for these users no more factor authentication was available,
while these users were accessible via the internet or via telework software.

2.3.2 Accesswithinthe[CONFIDENTIAL]domain

During the breach, the attacker had access to virtually the entire [CONFIDENTIAL] domain.Transavia
has implemented more network segmentation as a follow-up measure. According to the National Cyber Security
Center (NCSC) network segmentation is the “dividing network into functional segments”. With
network segmentation only the systems that need to communicate with each other become together and separate
segments posted. “Users only get access to the segments they need.”.

The AP has asked Transavia if the attacker has access to the systems that have automatic access
obtained could also have done other things, such as copying, viewing or editing data on the other hand.
Transavia indicated that the attacker had this opportunity.

In its written response, Transavia mentions a number of security measures in force on the

moment of the infringement:“At the moment of the infringement, Transavia had taken several measures in the
under its security policy to prevent the consequences of an unauthorized login attempt, including monitoring.

For example, it was equipped for Transavia by its IT supplier Security Operations Center computer and
network activities of Transavia monitored and checked for abnormal activities.Viathis system

55See File 38, Replies from Transavia date September 24, 2020.
56File document38,RepliesfromTransaviadate24September2020-Appendix6:[CONFIDENTIAL].
57File document38,RepliesfromTransaviadate24September2020-Appendix6:[CONFIDENTIAL].
58File document38,RepliesfromTransaviadateSeptember24,2020-Appendix7:Results[CONFIDENTIAL]2019–Q3.
59See File 25, Transavia answers, date 26 May 2020.
  See File 41, NCSC, Ransomware, measures to prevent, mitigate, and recover from a ransomware attack, June
61File piece30,LetterAPtoTransaviafrom4September2020.

                                                                                                     13/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]

On October 21, 2019, Transavia received the security notice from its IT supplier that indicates unauthorized
access to the IT landscape of Transavia.” 62

The forensic report indicated that the administrator had set up logging capabilities, which means that

the external service provider has been able to largely reconstruct the events
external service provider has been able to use the [CONFIDENTIAL] environment of 63
transavia. 64

Research showed that it was possible to delete certain log files
for a week at least [CONFIDENTIAL]systemslogsaredeleted.Also is

described that certain logging was not kept in the centralized environment, including
to expand control panel logging to monitor its integrity. Also, it would also improve response

The forensic report also states that several systems have obsolete operating systems
were installed.It also states that theimplementedmultifactorauthenticationoncertain
systems so was arranged that a user could fill in a phone number himself to a

to receive the second factor message. Certain systems had uncontrolled access to the
internet. This allowed the attacker to communicate with external systems from .'s network
transavia. Finally, there was insufficient network intrusion detection
of a limited view of the attacker's network activity.

2.4 Infringement measures

After Transavia found out on 21 October 2019 that an attacker has unauthorized access

had up to its systems, Transavia has had a forensic analysis directly by an external service provider
After the infringement was established, Transavia took various measures.

Transavia has introduced two-factor authentication for all end users and devices, among other things.
In addition, the passwords of all users and generic accounts have been reset

password requirements have been technically implemented. Finally, Transavia has divided its network into
multiple segments. 68

62See File 25, Transavia answers, date 26 May 2020.
  [CONFIDENTIAL]allows you to transfer data from a large amount of different sources (automated)
analyze and receive alerts on this. A centralized environment where a system logging from different
collects, analyzes and reports resources is also known as SecurityInformationandEventManagement(SIEM).See
also: File 42, NCSC, Guide to Implementation of Detection Solutions, October 2015.
64See File 11, report of 5 December 2019, page 4.
65See File 11, report of 5 December 2019, pages 23 and 29.
66See File 11, report of 5 December 2019, pages 27 and 28.
68See File 11, report of 5 December 2019, page 29.
  Written opinionTransavia, June 28, 2021, page 7 and 8.

                                                                                                      14/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

2.5Transavia's view on the established facts and response AP

In its view, Transavia has asked the AP to add some nuances to these points
to suit. To the extent relevant to this decision, the AP will briefly mention this view, provided with a
response from the AP.

Transavia would first of all like to emphasize that the accounts [CONFIDENTIAL] only together (and not everyone
for themselves) gave access to a large part of the computer network of Transavia. And that the overviews
look at the data that the account had joint access to. The AP does not dispute this fact

second account.Nevertheless, the AP has included more nuances about this in the decision.

Secondly, Transavia mentions that the exfiltrated data does not include contact details

existed. This is in contrast to the files that were only seen or could have been seen by the attacker
view.The file with historical passenger data contains no contact details, only for-and
last name, date of birth, flight information and SSR code. The other exfiltrated files contain

yes, business contact details of employees and business contacts, but proportionally concerning
this, according to Transavia, less data. The AP agrees with this position of Transavia and has adjusted it.

Finally, Transavia indicates that from a passage of the report prepared by the external service provider

not so much read that systems had unnecessary access to the internet, but that these systems
due to the lack of hostbasedfirewall had uncontrolled or unguaranteed access to the
internet. In response to this, the AP has replaced the word 'unnecessary' with 'uncontrolled'.

 Written opinionTransavia, June 28, 2021.

                                                                                         15/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]


3.1Personal data and cross-border processing

Transavia processes data from passengers, employees and suppliers. Data such as names and
dates of birth are data with which Transavia can identify natural persons

directlyorindirectlybycombiningdata.Because Transaviaprocessesdatawithwhicha
person can be identified directly or indirectly, processes Transavia personal data such as
mentioned in article 4, part 1, of the GDPR.

Transavia further processes data relating to wheelchair use, deafness and blindness.
Because this information, along with other linked information, says something about the health of a
customer of Transavia, Transavia also processes special categories of personal data as indicated
inArticle 9, paragraph 1, of the AVG.

Transavia offers services to several European countries. It also flies to and from several
European countries. Transavia's passenger data relates to this through data from those involved from
several European countries. Transavia has indicated that personal data that Transavia processes
90% are likely to come from the Netherlands, based on “point of sale”. Giventhenumber
personal data that Transavia processes from Europeans, the AP10 still considers substantial

Because the processing of Transavia involves at least one branch and several
Member States will experience, or are likely to experience, substantial impact according to the
AP refers to a cross-border processing as referred to in article 4, part 23, of the GDPR.

3.2 Controller

TransaviaAirlinesC.V.'s privacy policy states that Transavia is responsible for the

personal data that Transavia processes. Furthermore, Transavia has indicated that the French company
is responsible for the data that the branch collects. 72

TransaviaAirlinesC.V.has made agreements with sister companyTransaviaFranceS.A.S if

ServiceLevelAgreement. These agreements state that the management of the ICT systems
responsibility of TransaviaAirlinesC.V. 73

7See File 44, Print website company profiles www.transavia.com.
7See File 25, Transavia answers, date 26 May 2020.
7See File39,Privacy policyTransavia.
7See File38, RepliesfromTransaviadate24September2020andappendix2:Excerpt fromSLATransaviaAirlinesC.V.–

                                                                                               16/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

With regard to the employee data, Transavia has indicated that this data is segregated
incorporated. This means that both the French and Dutch organizations are independently responsible
are for this data of their own employees. Transavia has supplied documentation from which
it appears that employee data is also located on systems of TransaviaAirlinesC.V.. 75

Furthermore, Transavia has indicated that at the time of the infringement, only a limited number of systems
personal data were present of Transavia France S.A.S. 76

TransaviaAirlinesC.V. was also the client for the research by the external
service provider.TransaviaAirlinesC.V.isalsothepartyinformedbytheadministratorsanda
has reported the infringement to the AP and the persons involved.

In view of the above, TransaviaAirlinesC.V.determines the targets and means of (a large part)

of the data on the systems as mentioned earlier in chapter 2. The AP establishes that
TransaviaAirlinesC.V.the controller is as referred to in article 4, part 7 of the

The head office of TransaviaAirlines CV is furthermore located in Schiphol, the Netherlands. Considering the
fact that it has been established above that TransaviaAirlinesC.V.canbecome a controller

designated, the AP is the lead supervisor. According to article 56 of the GDPR, the AP in the
European cooperation systemIMIconsulted with the other supervisors about the fact that the AP
sees itself as the lead supervisor. No contradiction has arisen from this procedure from
other European supervisors.

3.3 Appropriate Security Measures

3.3.1 Introduction

Article32 of the AVG are the requirements concerning the security of the processing of personal data
included. The controller must provide appropriate technical and organizational

to take measures to ensure a security level appropriate to the risk. When determining
appropriatemeasures should take into account the risk to rights and freedoms

of persons.

The AP tests in the following or the technical measures at Transavia with regard to access

until personal data were appropriate as referred to in article 32 of the GDPR.

75SeeFile document38,ReplyofTransaviadate24September2020.
 File 25, Transavia Answers, date May 26, 2020 – Appendix 3: Explanation of Appendix 2.
76See File 38, Replies from Transavia date 24 September 2020.
7See File 11, report of 5 December 2019, page 4 and file 1 and 13.
78See File26, Registration Trade RegisterTransaviaAirlinesC.V.

                                                                                                  17/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]


In order to determine what is appropriate, a trade-off must be made between the state of the technology, the
execution costs, as well as the nature, scope, context and processing purposes and qua
probabilityandseriousriskstotherightsandfreedomsofpersons. oneon

risk-adjusted level of security includes, among other things, the ability to stand on the basis of the
confidentiality, integrity, availability and resilience of the processing systems and services
guarantee (article 32, paragraph 1, subb of the AVG).

State of the art implementation costs

As determined in Chapter 2, the attacker used a “password spray” or “credential stuffing” attack
where a hacker applies commonly used or previously leaked passwords
can be taken depends, among other things, with the type of application and possibilities
infringement, however, the cause of the infringement turned out to be a simple and commonly used password at two
users who were easy (automated) to guess. Thestrengthandlevelofthepassword
was not in accordance with Transavia's own authentication policy.

It is established that Transavia has a policy for the authentication of users. It is also certain that Transavia
perform periodic checks and continuously work on its own security policy
However, transavia-supplied periodic security checks show that in many applications there is not
Transavia's own password policy was complied with.

Transavia has indicated that the generic accounts used during the breach are not the focus
were used according to their own policy. According to Transavia, the risk is with other types of accounts,
namely, the user accounts linked to individual users. Because of this, the bad
passwords not detected in time according to Transavia. Furthermore, it is stated that multi-factor authentication

implement for “generic accounts” had not yet been realized at the time of the breach, because
the implementation had been delayed by other users.

After the first successful authentication, a Citrix environment was used. This environment is
then used by the attacker to gain further access to Transavia's systems.
For these kind of environments it is recommended to use more factor authentication to access

As mentioned, this is a common measure that is also used at the time of the infringement
was recommended by the provider of the telecommuting software Citrix.

After the attacker gained further access, he/she had a lot of liberties on .'s systems
Transavia.Ultimately, this resulted in the copying of data from mailboxes of

employees. This could have been prevented by dividing the network into several segments.
Furthermore, users' rights can be adjusted to determine whether it is necessary for them to

It also turned out to be possible to use log files on systems marked as critical by Transavia

This meant that no full picture of water had occurred on these systems after the breach.

                                                                                       18/25Date Unidentified

September 23, 2021 [CONFIDENTIAL]

Commonly used information security standards that were valid at the time of the

breaching password management, network segmentation, and user rights
various recommendations. This is what is called a management measure ensuring strong
information to be limited.

The measures that Transavia could have taken at the time of the infringement were already a standard according to
Transavia itself, according to suppliers and according to international standards

measures that were partly implemented by Transavia.

Based on the above, the AP is of the opinion that, in view of the state of the art at the time of the

breach, it was certainly possible to implement security measures for the risk that
has realized in the infringement. The introduction of the abovementioned essential precautions
would have made it possible to maintain the confidentiality of the processed data
in accordance with article 32, paragraph 1, subb of the GDPR to guarantee and the risk of the occurrence of the

to substantially reduce data leakage.

The information supplied by Transavia further shows that the infringement is a multiple of

measures have been taken including changing passwords, implementing
network segmentation and adjusting user rights. The AP considers the implementation costs for this
security measures not so high that these measures could not have been implemented earlier
turn into.

The nature, the scope, the context and processing purposes
For example, as the data is processed on a large scale and becomes more sensitive,
stricter requirements are imposed on data security.

The AP has established that Transavia processes a large amount of data, including
special data such as health data. The attacker had access to systems where
there are data on about 25 million passengers. Given this large-scale processing of
personal data, the AP does not consider the security of Transavia to be adequate at the time of the breach.

If the infringer has been involved in unauthorized access and provision of personal data.

Furthermore, the attacker could not only have had access to much more data, it was
possible to copy or process this data. The data that Transavia processes,
such as contact details, can be misused for
purposes that may lead to material or immaterial damage. Transavia also processes in addition

7See file document43:NEN-norm_ISO_27001_2017_nl,page23,24and29.
80For example, contact information can be used by a malicious person for phishing. Phishing is aimed at obtaining
(sensitive) information, to commit fraud. See also: https://www.ncsc.nl/onderwerpen/phishing.

                                                                                           19/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

special data of passengers and social security numbers of employees
confidentiality of this can lead to property damage, such as discrimination fraud.81

In view of the above, the AP is of the opinion that the technical measures were not 'appropriate' at the time

of the infringement, as referred to in article 32 of the GDPR. Considering the amount and type
personal data that Transavia processes must be taken to a high level
result in immaterial damage.

The measures that Transavia could have taken were possible and appropriate in view of the state of the
techniques and the costs of implementation. The lack of these measures, at several levels, has led to
a (realized) risk to the rights and freedoms of those involved.


Below, the AP briefly summarizes Transavia's view on the assessment of the AP, provided
from a response from the AP.


In its view, Transavia indicates that it has embedded a continuous improvement process in a cyclical way
(PDCA). Against this background, Transavia has a policy for user authentication (the

‘Authentication Policy’) adopted in December 2017 with a three-year policy horizon (phase ‘Plan’).
Transavia realizes that the passwords of the compromised accounts in 2019 did not meet the
ownAuthentication Policy.Although theAuthentication Policy was appropriate according to Transavia,as
referred to in article 32 AVG, the implementation of that policy was not complete

compromisedaccountsdidn'tcomplywithownpolicyandwereinappropriate in that sense
intended level of security.

Transavia, however, wants the image of the AP in the research report on multi-factor authentication
nuance.Based on the information available at the time, Transavia expected that the chance of a

genericaccounts.User account data is generally much easier to find
on the internet (think person's name in combination with the organization, data on Linkedin), then
data about generic accounts that are not linked to any person

was greater than the number of generic accounts. Transavia wants to emphasize that side choice to prioritize
give to user accounts has taken care of, taking into account the at the time

 See also: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/veiligheid/meldpleister-dataleks#when-levert-een-datalek-

                                                                                          20/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

foreseeable risks. Finally, Transavia would like to note that, with regard to the introduction of multi-
factor authentication between 2017 and 2019, in step with the rest of the industry.

The AP has determined that the security measures at several levels are not sufficiently appropriate
were.The combination of weak passwords and the lack of two-factor authentication
according to the AP made it foreseeable that there was a great risk of unauthorized access to the
personal data of Transavia. Two-factor authentication has been common for years

security measures quite easy to implement. The AP sees the nuances of
Transavia about multi-factor authentication no reason to adjust the assessment about this.


The AP concludes that Transavia did not take appropriate measures at the time of the infringement
hastoguaranteealevelofsecuritymatched to the risk
acted with article 32, first stone, second paragraph, of the AVG.

                                                                                     21/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]


4.1 Introduction

Transavia has acted in conflict with article 32, first stone and second paragraph, of the AVG.

established violation using its powers to impose a fine on Transavia. Considering
the seriousness of the violation and the extent to which it can be blamed on Transavia, the AP considers the
imposition of a fine due. The AP motivates this in the following.

4.2 Fine policy rules of the Dutch Data Protection Authority 2019

Pursuant to article 58, second paragraph, opening words and article 83, fourth paragraph, of the AVG, read in
in connection with article 14, third paragraph, of the UAVG, the AP is authorized to handle Transavia in the event of a
violation of article 32 of the GDPR Not to impose an administrative fine up to €10,000,000 or, for one

company, up to 2% of total worldwide annual sales in the previous financial year, if this figure

The AP has established Penalty Policy Rules regarding the fulfillment of the above-mentioned authority to the
imposing an administrative fine, including determining the amount thereof. In the
Penalty policy rules has been chosen for a category classifications bandwidth system.
fine bandwidth between €120,000 and €500,000 and a basic fine of €310,000.

4.3 Fine amount

The amount of the fine adjusts the AP to the factors mentioned in article 7 of the
Fine policy rules, by decreasing or increasing the base amount. It is about an assessment of the

seriousness of the violation in the specific case, the extent to which the violation can affect the offender
be blamed and, if there is reason to do so, other circumstances.


TheAP has come to the conclusion that Transavia has not applied an appropriate level of security for
the processing of personal data in its network. Transavia processes many types of personal data,
such as contact details of passengers and social security number, the attendance records and login details of
its employees.Transavia also processes health data, such as wheelchair use,
deafness and blindness of passengers.

In addition, it is important that Transavia, during the time of the infringement, processed data of more than 25
million persons. Transavia has at the time the data of this large group of those involved

8Stcrt.2019,14586,March 14,2019.

                                                                                      22/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

insufficiently secured. This huge group of citizens have unnecessarily run extra risk on, among other things

unauthorized access to their personal data. A risk which is otherwise realized by the breach
from 2019 where data of up to 83,000 persons were leaked and health data of 367

Due to the extensive data processing involved in this violation, a large number of
data subjects are also processed special personal data does the AP qualify these

infringement of the AVG as very serious.

In view of the above, the AP sees, on the basis of the degree of seriousness of the violation, reason to
impose a fine on Transavia and increase the (basic) amount of the fine to €400,000.

4.3.2 Liability, negligence and damage mitigation measures

Pursuant to article 5:46, second paragraph, of the Awb, the AP reserves the right to impose an administrative fine
take into account the extent to which they can be blamed on the offender
violation, is not required for the imposition of an administrative fine in accordance with established case law that

it is shown that intent may presuppose the AP culpability if it
offense has been established. In addition, the AP also takes into account the negligent nature of the infringements
damage mitigation measures by Transavia.

Transavia is required by article 32 of the GDPR to introduce security measures that

are appropriate for the nature and scope of the processing and which Transavia carries out.
the large extent of the processing, the AP considers that Transavian every case is special
has been negligent in sufficiently taking such measures. Transavia may be
expects she to be aware of the standards that apply to her and to act accordingly. The AP considers this

In addition, the AP has established that from the periodic security checks provided by Transavia
it turned out that many applications did not comply with Transavia's own password policy.
The AP deems it very negligent that Transaviana did not take action with these checks for such a

to ensure an appropriate level of security. On the other hand, Transaviana has knowledge of the
data leakimmediately many measures taken to protect personal data more appropriately and to
prevent the attacker from entering the systems of Transavia any longer
Transavia indicated that in general it has also taken several measures to improve the
increase security level in the company.

In view of the above consideration, the AP therefore sees a reason to adjust the fine on the basis of the
negligent nature of the infringement by €25,000.But also to increase the amount of the fine under the
damage-limiting measures taken are again reduced by €25,000.

                                                                                      23/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]

4.3.3Other circumstances

In its view, Transavia states that those involved with certainty are limited by the probability of no

have been adversely affected by the data breach. The leaked passenger data does not contain any
contact details and were not or not very sensitive. Transavia has not had any
had a report about abuse of the data. Transavia also reported the data leak to the AP in good time
and informed those involved. Finally, Transavia cooperated as best as possible in the investigation

of the AP and did not make any profits or avoid losses with the infringement.

The AP is of the opinion that the cooperation of Transavia did not go beyond its legal obligation

to comply with article 31 of the AVG. Transavia has not cooperated with anyone in any special way
with the AP. Also the circumstance that Transavia only meets its statutory reporting obligation to the AP
and the persons involved, in view of the seriousness of this violation, the fulfillment of this obligation cannot be regarded as a
relieving or mitigating factor are considered. Finally, the AP notes that the right of

protection of data of various data subjects and is equally damaged, because
for example, health data of passengers and contact data of employees are in hand
came from a malicious party. These parties involved are prevented from retaining the
control of their personal data.

In view of the seriousness of the violations and the degree of culpability, the AP does not give
reason not to see the fine or the fine on the grounds mentioned by Transavia


Finally, pursuant to Articles 3:4 and 5:46 of the Awb, the AP assesses the application of its policy for

determining the amount of the fine in view of the circumstances of the specific case, not until
disproportionate outcome.

The AP is of the opinion that (the amount of) the fine is proportional. In this judgment, the AP has taken the seriousness of the

violation, the extent to which it can be blamed on Transavia, the damage-limiting measures
and other circumstances taken into account. Due to the large volume of data processing, the fact
that a large number of data subjects were also processed with regard to special personal data
the AP qualifies this infringement of the AVG as very serious.

In view of all the circumstances of this case, the AP sees no reason for the amount of the fine based on
the present case, further increase or decrease.

4.4 Conclusion
The AP sets the total fine at €400,000.

8For the justification, see paragraphs 4.3.1 and 4.3.2.

                                                                                        24/25Date Unidentified
September 23, 2021 [CONFIDENTIAL]


The AP explains to TransaviaAirlines CV for violation of article 32, first stone, second paragraph, of the AVG
an administrative fine in the amount of:
€400,000 (in words four hundred thousand euros).84

Yours faithfully,
AuthorityPersonal Data,


board member

Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the
decide to submit an objection digitally or on paper to the Data Protection Authority. Submit it
of an objection suspends the effect of this decision. To submit a digital objection, see
www.autoriteitpersoonsgegevens.nl, under the heading 'Objection', at the bottom of the page under the heading

'ContactwiththePersonal Authority'.Theaddressforsubmissiononpaperis:Authority
Personal data, P.O. Box93374,2509AJDenHaag. Mention on the envelope 'Awb-objection' and put in the
title of your letter 'objection'. Write your objection at least:
     Your name and address

     The date of your notice of objection
     The reference (case number) mentioned in this letter; you can also receive a copy of this decision
     The reason(s) why you do not agree with this decision

     Your signature
For more information, see: https://autoriteitpersoonsgegevens.nl/nl/bezwaar-maken

8The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).