{"id":13192,"date":"2020-02-15T22:52:32","date_gmt":"2020-02-15T21:52:32","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13192"},"modified":"2024-10-05T21:09:19","modified_gmt":"2024-10-05T19:09:19","slug":"german-eurowings-airline-data-breach-in-online-portal-gdpr","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/02\/15\/german-eurowings-airline-data-breach-in-online-portal-gdpr\/","title":{"rendered":"German Eurowings Airline: Data breach in online portal (GDPR)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/15\/eurowings-schwere-datenpanne-beim-onlineportal\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]At the German Lufthansa subsidiary Eurowings there was a serious GDPR Failure at the airline's online portal. Customers were temporarily able to access the personal data of other passengers. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg02.met.vgwort.de\/na\/44bb339ffbbb483e8dda0517d4469698\" width=\"1\" height=\"1\">Does anyone still remember the incident at the German Lufhansa Miles &amp; More portal &#8211; happened at the beginning of December 2019 (see <a href=\"https:\/\/borncity.com\/win\/2019\/12\/10\/lufthansa-miles-more-data-breach-at-frequent-traveller-accounts\/\">Lufthansa Miles &amp; More: Data breach at frequent traveller accounts<\/a>). Now the Lufthansa subsidiary Eurowings has been hit in the same way with its online air travellers customer portal (a short article in German appeared yesterday at DTS, see <a href=\"https:\/\/your-first-way.ch\/2020\/02\/14\/datenpanne-bei-eurowings\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"de\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Datenschutz?src=hash&amp;ref_src=twsrc%5Etfw\">#Datenschutz<\/a>|panne bei der Buchungsplattform von Eurowings. Man konnte wohl Daten anderer Nutzer einsehen und h\u00e4tte deren Buchungen \u00e4ndern oder stornieren k\u00f6nnen.<a href=\"https:\/\/twitter.com\/hashtag\/DSGVO?src=hash&amp;ref_src=twsrc%5Etfw\">#DSGVO<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ITSicherheit?src=hash&amp;ref_src=twsrc%5Etfw\">#ITSicherheit<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/cybersecurity?src=hash&amp;ref_src=twsrc%5Etfw\">#cybersecurity<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\">#infosec<\/a> <a href=\"https:\/\/t.co\/QHgX3wBT1z\">https:\/\/t.co\/QHgX3wBT1z<\/a><\/p>\n<p>\u2014 Steve Ritter (@SteveJRitter) <a href=\"https:\/\/twitter.com\/SteveJRitter\/status\/1228679101860450304?ref_src=twsrc%5Etfw\">February 15, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve7eccc1da40cf45eeb12bb57633e32708\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>I have become aware of the data protection problem through the above tweet. The data protection incident probably took place already on February 6, 2020, but became public now. <\/p>\n<h2>Users could view other customer data<\/h2>\n<p>Customers of German airline Eurowings can view their flight booking data and other information on the Eurowings online portal. On February 6, 2020, customers suddenly noticed that they were temporarily shown the personal data of other customers &#8211; looks exactly like the Miles&amp;More case mentioned above. A spokeswoman from the airline confirmed to German news magazine <em>Der Spiegel<\/em> 'a technical malfunction' on Thursday two wees ago'. This was discovered after one hour and 40 minutes, she said, and the website was \"immediately put into maintenance mode as soon as the malfunction became known in order to eliminate the fault\". Since then, all booking fw\u00e9ature have been back to normal use.<\/p>\n<p>Eurowings customer Daniela Wenzel-Schmitz was probably affected and informed Eurowings around shortly after 11:00 am. She was advised to log off the portal and write a mail to the Eurowings data protection address, Spiegel Online reports <a href=\"https:\/\/www.spiegel.de\/netzwelt\/web\/eurowings-schwere-datenpanne-buchungen-einsehbar-a-00000000-0002-0001-0000-000169470924\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. <\/p>\n<h2>Wrong management decisions leads to GPDR fault?<\/h2>\n<p>That immediately rings a bell. When I go to my article <a href=\"https:\/\/borncity.com\/win\/2019\/12\/10\/lufthansa-miles-more-data-breach-at-frequent-traveller-accounts\/\">Lufthansa Miles &amp; More: Data breach at frequent traveller accounts<\/a>, the data incident had also hit customers who were permanently logged in using stored cookies. Since the new data protection failure affects a Lufthansa subsidiary, it is reasonable to suspect that the same or similar IT systems and structures were involved. In <a href=\"https:\/\/www.spiegel.de\/netzwelt\/web\/eurowings-schwere-datenpanne-buchungen-einsehbar-a-00000000-0002-0001-0000-000169470924\" target=\"_blank\" rel=\"noopener noreferrer\">this German article<\/a>, Spiegel Online points out that the new Eurowings boss, Thorsten Dirks, who is now responsible for digitalization at Lufthansa, boasted at the time that the company wanted to become a digital company with an associated flight operation. <\/p>\n<h2>It's a GDPR case<\/h2>\n<p>In any case, the whole thing has the consequence that this was a notifiable data protection incident under the European General Data Protection Rule (GDPR). The supervisory authority must be informed within 72 hours. Eurowings had \"naturally informed the supervisory authority\", said the spokesperson. The responsible NRW State Commissioner for Data Protection and Freedom of Information <a href=\"https:\/\/your-first-way.ch\/2020\/02\/14\/datenpanne-bei-eurowings\/\" target=\"_blank\" rel=\"noopener noreferrer\">confirmed<\/a> that the incident was reported in due time.<\/p>\n<p><strong>Similar articles:<\/strong><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/12\/10\/lufthansa-miles-more-data-breach-at-frequent-traveller-accounts\/\">Lufthansa Miles &amp; More: Data breach at frequent traveller accounts<\/a><br \/>Massive data leak at NextMotion (working in plastic surgery)<br \/><a href=\"https:\/\/borncity.com\/win\/2019\/07\/08\/british-ico-intend-to-fine-ba-under-gdpr-with-183-39m\/\">British ICO intend to fine BA under GDPR with \u00a3183.39m<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/06\/05\/gdpr-continental-bans-whatsapp-snapchat\/\">GDPR: Continental bans WhatsApp &amp; Snapchat<\/a><\/p>\n<p><a href=\"https:\/\/borncity.com\/win\/2020\/01\/03\/windows-10-datenschutzsplitter-die-krux-mit-der-telemetrie\/\">Windows 10, the telemetry and the GDPR privacy problem\u2026<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/10\/22\/eu-manahmen-zur-dsgvo-konformitt-von-ms-produkten\/\">European Union Privacy Watchguard, the GDPR and Microsoft<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/11\/17\/dutch-report-says-microsoft-office-is-not-gdpr-compliant\/\">Dutch report says Microsoft Office is not GDPR compliant<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/02\/11\/microsoft-will-make-office-pro-plus-gdpr-compliant\/\">Microsoft will make Office Pro Plus GDPR compliant<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/07\/15\/office365-violates-gdpr-in-schools\/\">Office365 violates GDPR in schools<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/02\/03\/windows-10-v1909-enterprise-telemetriedaten-deaktivierbar\/\">Windows 10 V1909 Enterprise: Telemetry can be deactivated<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]At the German Lufthansa subsidiary Eurowings there was a serious GDPR Failure at the airline's online portal. Customers were temporarily able to access the personal data of other passengers.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[2278,1719,69],"class_list":["post-13192","post","type-post","status-publish","format-standard","hentry","category-security","tag-data-breach","tag-gdpr","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13192"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13192\/revisions"}],"predecessor-version":[{"id":35801,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13192\/revisions\/35801"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}