Aviation and Automobiles

Illustrative Breaches

Toyota
Dealer Leader, LLC
Cathay Pacific
British Airways
Spice Jet
Albany International Airport
EasyJet
BancoEstado Embraer
Aerostructures and Aircraft Division of Leonardo SpA
Flight Centre Travel Group Ltd
Mercedes
AirIndia
Audi
Volkswagen
Forward Air
Navistar

Data breach of entities- maximum fines and damage

EasyJet: On 19 May 2020, EasyJet, a British airline group, issued a notice reporting a cyber-security incident which exposed personal information of approximately 9 million customers. The company investigated and found that email address, travel details and credit card details of around 2,208 of customers were accessed. However, no passport details were exposed. The company has notified the National Cyber Security Centre and the ICO of the breach. It is also under the process of communicating the affected customers.

British Airways: Despite all threats and scare-mongering about the potential size of fines, the first 12 months of the EU’s General Data Protection Regulation (GDPR) had relatively little in the way of punitive action. Fines issued by data protection firms across mainland Europe that related to data breaches had been in the tens or relatively low hundreds of thousands of euros and generally were in line with the kinds of finds companies were receiving under prior regulations. With a lot of money being spent on compliance efforts and seemingly light punishment for failure, there was a growing worry that GDPR might actually be something of a damp squib. That quickly changed after BA was fined a record £183 million [~$230 million], the highest data breach penalty to date and surpassing the $148 million Uber paid out in 2018. British Airways was fined by the UK’s data protection authority, the ICO, after the Magecart group used card skimming scripts to harvest the personal and payment data of up to 500,00 customers over a two-week period. The ICO said its investigation found “poor security arrangements at the company” led to the breach. The BA fine shows that the regulation does have real teeth and the data protection authorities aren’t afraid to exercises their powers. Given that the GDPR has been one of the main drivers for pushing security higher up the agenda with boards, this will give CSOs and privacy/compliance offers renewed impetus to strengthen their security programs further.

Cathay pacific: Cathay pacific fined £500,000 penalty by the UK’s data watchdog .9.4 million customer data ( 111,578 of whom were from the UK.) was leaked upon failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations.

Spice Jet: SpiceJet has reportedly been affected by a data breach, exposing private information of more than 1.2 million passengers. A security researcher gained access to the information by brute-forcing the password to SpiceJet’s system. SpiceJet had left the information unencrypted in a database file, giving easy access to hackers. The data contained names, phone numbers, email addresses, date of birth and other flight information of the passengers.

Enforcements

Name	Fine	Authority
Taxa 4×35	EUR 1,60,000	Danish Data Protection Authority
British Airways	EUR 18,33,90,000	Information Commissioner (ICO)
Vueling Airlines	EUR 30,000	Spanish Data Protection Authority
LGS Handling Ltd	EUR 70,000	Cyprian Data Protection Commissioner
Louis Aviation Ltd	EUR 2,000	Cyprian Data Protection Commissioner
Kymen Vesi Oy	EUR 16,000	Deputy Data Protection Ombudsma (Finland)
Proleasing Motors SRL	EUR 15,000	Romanian National Authority for the Supervision of Personal Data Processing
Global Business Travel Spain SLU	EUR 5000	Spanish Data Protection Authority
British Airways	EUR 22,029,866	The Information Commissioner’s Office (ICO)
Air Europa Lineas Aereas, SA	EUR 600,000	Spanish Data Protection Authority (AEPD)
Vattenfall Europe Sales GmbH	EUR 900,000	Data Protection Authority of Hamburg
Rhodes Municipal Transport Company	EUR 8000	Hellenic Data Protection Authority (HDPA)
GESTIONES AUTO LOW COST S. L.	EUR 1000	Spanish Data Protection Authority
Atac s.p.a.	EUR 400,000	Italian Data Protection Authority (Garante)
Automecanica Jerez, S.L.	EUR 4,000	Spanish Data Protection Authority

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Cookie Consent