Finnair: Massive failure in personal data processing

During the evening (Finnish time, UTC+0200) of January 8, 2015, Finland’s national airline, Finnair (www, biz reg) launched an unprecedented email advertising campaign at their valued customer list.


The subject lines of this campaign are (in Finnish, Swedish and English) as follows:

Subject: Finnair Plus on nyt palkitsevampi etuohjelma!
Subject: Finnair Plus är nu mer för dig!
Subject: Finnair Plus is now more for you!

The unfortunate bit is that this reveals that Finnair’s valued customer list contains significant amounts of outdated and erroneous personal data, which is illegal to process in any way at all here (Section 9.1 of the Personal Data Act). Despite having assistance from the email pros (this is sent out by one of the big ESPs, ExactTarget), they have consistently managed to ignore bounces for $DEITY knows how long. The address list includes any number of addresses at domains that have spent the M³AAWG requisite 12 months dead before being repurposed as spamtraps, as well as significant numbers of addresses at domain names that never existed before being turned into spamtraps.

Yesterday’s missive is just a marketing letter, but others have noticed before that the same fact results in significant information leaks concerning Finnair’s customers that could put their property at real risk.

Leave a Reply

Go back to top