Romania’s official data protection agency has fined state-owned airline TAROM a rather modest €20,000 after an employee managed to access passenger booking systems and then leak personal passenger information onto the internet. The National Supervisory Authority said TAROM had failed to implement adequate technical measures to stop the leak and accused the airline of organisational failures.
The incident, which is said to have occurred in September, saw a member of staff illegally access a passenger booking system which he shouldn’t have had access to in the first place and then take photographs of a list of personal data belonging to 22 different passengers. The employee then leaked the information on the internet.
The data protection agency did not disclose what personal information the rogue employee had managed to obtain and TAROM has not publicly commented on the incident.
“The operator (TAROM) has not taken any appropriate measures to ensure a level of security corresponding to the risk generated by the unauthorized disclosure or the unauthorized access to the personal data transmitted, stored or otherwise processed,” The National Supervisory Authority said in a statement translated from Romanian.
While the fine may be small, it will be yet another problem for the troubled national carrier to deal with. TAROM has been battling media reports of an internal crisis at the airline after the now ex-director general was forced to step down from her role in October.
That follows accusations Daniela Mădălina Mezei had deliberately failed to follow resolutions made by the airline’s board and had delayed modernising TAROM’s short-haul fleet despite an express order to complete the purchase of new aircraft.
The popular EVZ newspaper has labelled TAROM an “example of incompetence” and has described management of the airline as disastrous. TAROM is said to have lost USD $37 million last year and sources claim those losses could exceed $41 million in 2019.
Nonetheless, TAROM’s data protection fine is small change compared to the record penalty imposed by British authorities for a massive data breach at British Airways where upwards of 500,000 customers had their details compromised. The UK’s Information Commissioners Office slapped BA’s parent company with a $230 million fine earlier this year for the 2017 breach.
British Airways said it would appeal the fine.