Air Europa payment-data breach
Spanish airline Air Europa exposed contact and full payment-card data — including CVV codes — on roughly 489,000 customers across 1.5 million records, and was fined €600,000 by the AEPD for weak security and a 41-day notification delay.
- Victim
- Air Europa
- Loss
- $648.0K
- records
- 1.5M
- users
- 489.0K
In a breach first surfaced in October 2018 and ultimately sanctioned in March 2021, Spanish flag-adjacent carrier Air Europa exposed full payment-card details — including the three-digit CVV security code — on roughly 489,000 customers. The case became a landmark European ruling on both data security and breach-notification timeliness.
What happened
Air Europa stored customer contact information and bank-card data — card numbers, expiration dates and CVV codes — across approximately 1.5 million records. On 17 October 2018, a banking institution alerted the airline that card data had been compromised after detecting fraudulent transactions, indicating attackers had accessed the airline's systems.
Despite learning of the incident, Air Europa did not notify Spain's data protection authority, the AEPD, until 27 November 2018 — a delay of more than 40 days, far beyond the GDPR's 72-hour requirement. The airline initially classified the event as a medium-risk incident and did not promptly warn affected individuals. It was only in October 2019 that Air Europa emailed customers urging them to cancel their credit cards.
Impact
- Around 489,000 individuals had contact details and full payment-card data exposed, drawn from a pool of roughly 1.5 million records.
- Investigators found that data from approximately 4,000 cards was used in fraudulent transactions, making this a breach with demonstrated, not merely hypothetical, harm.
- Because the exposed data included the CVV, the cards were directly usable for card-not-present fraud, which is precisely why payment-security standards prohibit storing CVVs after authorisation.
Regulatory aftermath
On 19 March 2021, the AEPD fined Air Europa €600,000, split into €500,000 for breaching GDPR Article 32 (failure to implement appropriate technical and organisational security measures) and €100,000 for breaching Article 33 (failure to notify the supervisory authority within the required timeframe). It was one of the largest GDPR fines issued in Spain at the time.
Why it matters
The Air Europa decision is frequently cited in two ways. First, it reinforced that retaining sensitive payment data such as CVVs, and securing it poorly, is an Article 32 violation in its own right. Second, the separate €100,000 penalty for late notification sent a clear message across the EU that the 72-hour clock is enforceable — an organisation cannot quietly sit on a confirmed breach while it decides how serious it is. For the aviation sector, which routinely processes payment and passenger data at scale, the case became a standard cautionary reference.
Financial impact
Reported costs in USD
- Fines & settlements$648.0K
Timeline
A banking institution notifies Air Europa of fraudulent transactions traced back to compromised card data, revealing a breach of the airline's systems.
Air Europa formally notifies the AEPD of the personal data breach — more than 40 days after becoming aware of it.
Air Europa emails affected customers urging them to cancel their credit cards as a precaution against fraud.
The AEPD opens sanction proceeding PS/00179/2020 into Air Europa's handling of the breach.
The AEPD fines Air Europa €600,000 — €500,000 for inadequate security (Art. 32) and €100,000 for late breach notification (Art. 33).
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/air-europa-data-breach-customers-warned-to-cancel-credit-cards/
- gdprhub.euhttps://gdprhub.eu/index.php?title=AEPD_%28Spain%29_-_PS%2F00179%2F2020
- dataguidance.comhttps://www.dataguidance.com/news/spain-aepd-fines-air-europa-600000-gdpr-security-and
- airport-technology.comhttps://www.airport-technology.com/news/air-europa-credit-card-data-breach/