Dutch low-cost airline Transavia yesterday (Monday) admitted that as many as 80,000 Transavia passengers’ data was released following a cyber-attack. The five-year-old data was apparently being stored in an email inbox and contained passengers’ full names, their date of birth, luggage reservations, and whether or not they required assistance at the airport, such as a wheelchair.
The data that was released concerned any passengers that flew with the KLM subsidiary between January 21st and January 31st, 2015. Not affected by the breach were any passengers who flew to Egypt, the Canary Islands or Lapland in Finland.
Why was five-year-old data being kept by Transavia?
While admitting that the data had been accessed, Transavia did not explain why five-year-old flight data was being kept in an email inbox file.
“We have recently found that there has been a case of unwanted access to a Transavia mailbox,” the airline said in a statement to passengers. “Despite the fact that this concerns data from the beginning of 2015 and that it did not contain sensitive data such as address data, credit card information or passport information, we personally inform the passengers involved about this event.”
While stopping short of saying that it was a hacker who breached their system, the airline only went so far as to say that it was some type of “unwanted access.”
Everyone concerned will be notified by Transavia
Tour operators and travel agencies have been notified about the data breach, and Transavia has said that they will contact all passengers through the email addresses that they used to make the reservations.
“After investigation, we have no reason to believe that the unwanted access to the mailbox was aimed at obtaining this data. In addition, practice shows that with this combination of data (name, date of birth and flight data) the chance of abuse is minimal,” Transavia said.
The airline has now pledged to improve its cybersecurity to ensure that this kind of breach or any other hack looking to retrieve passenger’s personal information does not occur again. This latest airline data security breach comes on the back of two well-publicized hacks involving Cathay Pacific and British Airways.
In the case of BA, it affected 380,000 payments after customers were redirected to a fake British Airways website. Here, criminals were able to not only gain access to personal information, but credit card numbers, expiration dates, and even the three-digit CVV security code found on the back of the cards.
When the Cathay Pacific breach occurred, it dwarfed what had happened at British Airways, with 9.4 million of the Hong Kong-based airline passengers having their data stolen. Without disclosing any details, the Asian carrier admitted the breach had occurred, but that none of the stolen data was used for malicious purposes.
Airlines are seen as soft targets
This latest attack on Transavia sounds more like a prank than a serious criminal attempt, as no credit card information or addresses were revealed. What is worrying though, is the fact that an airline would keep this kind of information after five years had elapsed.
Cybercriminals look at airlines as being soft targets when compared to banks, which means airlines need to up their game when it comes to cybersecurity.
What do you think airlines should do to better protect their customer’s private information? Please let us know your thoughts in the comments section.