German Eurowings Airline: Data breach in online portal (GDPR)

[German]At the German Lufthansa subsidiary Eurowings there was a serious GDPR Failure at the airline's online portal. Customers were temporarily able to access the personal data of other passengers.

Does anyone still remember the incident at the German Lufhansa Miles & More portal – happened at the beginning of December 2019 (see Lufthansa Miles & More: Data breach at frequent traveller accounts). Now the Lufthansa subsidiary Eurowings has been hit in the same way with its online air travellers customer portal (a short article in German appeared yesterday at DTS, see here).

I have become aware of the data protection problem through the above tweet. The data protection incident probably took place already on February 6, 2020, but became public now.

Users could view other customer data

Customers of German airline Eurowings can view their flight booking data and other information on the Eurowings online portal. On February 6, 2020, customers suddenly noticed that they were temporarily shown the personal data of other customers – looks exactly like the Miles&More case mentioned above. A spokeswoman from the airline confirmed to German news magazine Der Spiegel 'a technical malfunction' on Thursday two wees ago'. This was discovered after one hour and 40 minutes, she said, and the website was "immediately put into maintenance mode as soon as the malfunction became known in order to eliminate the fault". Since then, all booking fwéature have been back to normal use.

Eurowings customer Daniela Wenzel-Schmitz was probably affected and informed Eurowings around shortly after 11:00 am. She was advised to log off the portal and write a mail to the Eurowings data protection address, Spiegel Online reports here.

Wrong management decisions leads to GPDR fault?

That immediately rings a bell. When I go to my article Lufthansa Miles & More: Data breach at frequent traveller accounts, the data incident had also hit customers who were permanently logged in using stored cookies. Since the new data protection failure affects a Lufthansa subsidiary, it is reasonable to suspect that the same or similar IT systems and structures were involved. In this German article, Spiegel Online points out that the new Eurowings boss, Thorsten Dirks, who is now responsible for digitalization at Lufthansa, boasted at the time that the company wanted to become a digital company with an associated flight operation.

It's a GDPR case

In any case, the whole thing has the consequence that this was a notifiable data protection incident under the European General Data Protection Rule (GDPR). The supervisory authority must be informed within 72 hours. Eurowings had "naturally informed the supervisory authority", said the spokesperson. The responsible NRW State Commissioner for Data Protection and Freedom of Information confirmed that the incident was reported in due time.

Similar articles:
Lufthansa Miles & More: Data breach at frequent traveller accounts
Massive data leak at NextMotion (working in plastic surgery)
British ICO intend to fine BA under GDPR with £183.39m
GDPR: Continental bans WhatsApp & Snapchat

Windows 10, the telemetry and the GDPR privacy problem…
European Union Privacy Watchguard, the GDPR and Microsoft
Dutch report says Microsoft Office is not GDPR compliant
Microsoft will make Office Pro Plus GDPR compliant
Office365 violates GDPR in schools
Windows 10 V1909 Enterprise: Telemetry can be deactivated

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *