Published customer data could expose TAP to multimillion dollar lawsuits

Published customer data could expose TAP to multimillion dollar lawsuits

Hackers accuse TAP of “trying everything but protecting consumer data”. The airline says it has complied with “all legal procedures” within the stipulated time.

TAP may have to pay hundreds of millions of dollars in damages to the regulator and injured customers after a group of Ragnar Locker hackers released 581 gigabytes of data on its deep webpage this Monday that it guarantees belongs to 1.5 million TAP customers. , according to the Expresso newspaper. These include customer addresses, phone numbers and names, as well as various details of corporate professionals and commercial agreements with the airline, which allegedly refused to pay the ransom demanded by criminals.

In statements to Lusa, TAP has already responded, guaranteeing that it says it has no indication that the pirates gained access to sensitive information from its customers, such as payment details. It is recalled that on August 26, TAP was guaranteed to successfully repel the computer attack. On August 31, the Ragnar Lockers claimed the attack.

In the publication that published the company’s data, the hackers guarantee that they will continue to have access to the Portuguese airline’s internal network. “The most interesting thing is that TAP has not yet fixed the vulnerabilities in the network itself and these kinds of problems could reoccur. By the way, if anyone needs remote access to TAP, let us know,” the group wrote on its deep web blog.

Several domains appearing in the disclosed customer database have “” email accounts, indicating they belong to Portuguese government agencies. In addition, various email addresses of government agencies in other countries are also displayed in the list. TAP also says the relevant information regarding each customer “may differ”, but emphasizes that “so far there is no indication that sensitive information, especially payment details, has been exfiltrated”.

TAP, contacted by CNN Portugal, explains that it is working closely with the judicial police, the National Cybersecurity Center and Microsoft, to try to understand where the security flaw that allowed access to the network originated and how future damage could be prevented. to prevent. criminal group. The company also insists it communicated “within the time prescribed by law” with the National Cybersecurity Center and the National Data Protection Commission. “TAP complies with all legal obligations regarding proceedings,” a company source assures.

The National Data Protection Commission (CNPD) confirms to the Expresso newspaper that it has opened a lawsuit to investigate the Ragnar Locker cyber attack on TAP’s systems. The CNPD also confirms that it has received notification from the airline, as stipulated by the General Data Protection Regulation (GDPR) for these types of incidents.

While it’s too early to talk about legal proceedings against the company, experts warn that the sensitivity of the data made available and the fact that there are injured customers abroad could lead to several lawsuits against it. company over inability to protect its customers’ data, similar to what happened to other companies such as easyJet, which was forced to pay up to £2,000 to each customer after nine million customers’ data, including financial records, was made public made in 2020.

“TAP can expect hundreds of millions of euros in damages. More than a million victims, plus the lawsuits that can be brought by international regulators of affected customers abroad, could have a huge impact,” says data protection lawyer Elsa Veloso.

It should be recalled that this case comes at a time when the Portuguese government has already publicly expressed its willingness to proceed with the sale of more than 50% of TAP this year, with Air France/KLM and Lufthansa as the main candidates. to proceed with the purchase. CNN Portugal attempted to contact the Ministry of Infrastructure to inquire about the possible effects of this incident on the company’s sales, but received no response. A source from the airline says this question is not addressed at this time.

These values ​​depend on the number of data protection errors found by the authorities and who is bringing the process. In the European Union, the record goes to Amazon, which was fined EUR 746 million in Luxembourg. In Portugal, fines are more lenient, and the highest fine was imposed by the CNPD on Lisbon City Council, amounting to 1.2 million euros, through the process known as Russiagate, for sending protesters’ personal data against the Moscow regime to the Russian embassy.

Under the European Data Protection Regulation, data protection authorities in Europe have the option to fine companies up to 4% of their annual worldwide turnover.

The hackers accuse TAP of “trying everything except protecting consumer data, trying to hide the truth, even attacking our sources”, and insisting that all personal data the pirates had access to was “unencrypted”. The group goes further, accusing the company, which was nationalized in July 2020, of trying to “hide the incident”, leading to the publication of “absolutely all information” from the airline.

“Most interestingly, they haven’t fixed the vulnerabilities on their own network and these kinds of issues could recur,” the group of cybercriminals said.

Notification to customers affected by the computer attack was not made until September 13. In the email, the company stated that “immediate containment and remediation measures have been taken to protect customer data,” stating that “the ‘hackers’ have published the following categories of data related to a limited number of customers, including: name, nationality, gender, address, email, telephone contact, customer registration date and frequent flyer number”.

Nuno Mateus-Coelho, a cybersecurity specialist, criticized the company’s response, which should have responded more quickly to the attack and communicated more quickly with its customers so that they were aware of their accounts. In addition, the expert warns that this data could enable groups of criminals to use the information to falsify identification.

“False identities are the biggest concern, but I’m concerned that hackers say they still have access to the network. If they have access, it means there is still the possibility to access credit card information and then the situation becomes much more complex,” he explains.