Aviation and Automobiles

Illustrative Breaches

  • Toyota
  • Dealer Leader, LLC
  • Cathay Pacific
  • British Airways
  • Spice Jet
  • Albany International Airport
  • EasyJet
  • BancoEstado  Embraer         
  • Aerostructures and Aircraft Division of Leonardo SpA           
  • Flight Centre Travel Group Ltd
  • Mercedes
  • AirIndia
  • Audi
  • Volkswagen

Data breach of entities- maximum fines and damage

  • EasyJet

On 19 May 2020, EasyJet, a British airline group, issued a notice reporting a cyber-security incident which exposed personal information of approximately 9 million customers. The company investigated and found that email address, travel details and credit card details of around 2,208 of customers were accessed. However, no passport details were exposed.

The company has notified the National Cyber Security Centre and the ICO of the breach. It is also under the process of communicating the affected customers.

  • British Airways

Despite all threats and scare-mongering about the potential size of fines, the first 12 months of the EU’s General Data Protection Regulation (GDPR) had relatively little in the way of punitive action. Fines issued by data protection firms across mainland Europe that related to data breaches had been in the tens or relatively low hundreds of thousands of euros and generally were in line with the kinds of finds companies were receiving under prior regulations. With a lot of money being spent on compliance efforts and seemingly light punishment for failure, there was a growing worry that GDPR might actually be something of a damp squib.

That quickly changed after BA was fined a record £183 million [~$230 million], the highest data breach penalty to date and surpassing the $148 million Uber paid out in 2018. British Airways was fined by the UK’s data protection authority, the ICO, after the Magecart group used card skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period.

The ICO said its investigation found “poor security arrangements at the company” led to the breach. The BA fine shows that the regulation does have real teeth and the data protection authorities aren’t afraid to exercises their powers. Given that the GDPR has been one of the main drivers for pushing security higher up the agenda with boards, this will give CSOs and privacy/compliance offers renewed impetus to strengthen their security programs further.

  • Cathay pacific

Cathay pacific fined £500,000 penalty by the UK’s data watchdog .9.4 million customer data ( 111,578 of whom were from the UK.) was leaked upon failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations.

  • Spice Jet

SpiceJet has reportedly been affected by a data breach, exposing private information of more than 1.2 million passengers. A security researcher gained access to the information by brute-forcing the password to SpiceJet’s system. SpiceJet had left the information unencrypted in a database file, giving easy access to hackers. The data contained names, phone numbers, email addresses, date of birth and other flight information of the passengers.

Enforcements

NameFineAuthority
Taxa 4×35EUR 1,60,000Danish Data Protection Authority
British AirwaysEUR 18,33,90,000Information Commissioner (ICO)
Vueling AirlinesEUR 30,000Spanish Data Protection Authority
LGS Handling LtdEUR 70,000Cyprian Data Protection
Commissioner
Louis Aviation LtdEUR 2,000Cyprian Data Protection Commissioner
Kymen Vesi OyEUR 16,000Deputy Data Protection
Ombudsma (Finland)
Proleasing Motors SRLEUR 15,000Romanian National Authority for
the Supervision of Personal Data
Processing
Global Business Travel Spain
SLU
EUR 5000Spanish Data Protection Authority
British AirwaysEUR 22,029,866The Information Commissioner’s
Office (ICO)
Air Europa Lineas Aereas, SA EUR 600,000 Spanish Data Protection Authority (AEPD)