A data breach incident has just been revealed at Air New Zeland airline that, according to network security experts, could have affected more than 110k members of Airponts, its frequent flyer rewards system. The compromised personal data include:
- Full
names - Address
- Date
of birth - Passport
details, maybe
The number of affected users known so far is
about 3% of the 3.2 million Airpoints program members.
The airline is not yet clear about how the
incident occurred, but they are already in the process of notifying affected
users via email, assuring them that their account access password and financial
details have not been compromised. However, some members of the Airpoints
program remain concerned, as they believe that the airline may have provided
further reports in its message, in addition to the airline’s handling of the
incident did not satisfy all users: “I think the airline hasn’t revealed
everything it knows, that makes me assume that my information might have been
stolen,” one of those affected complained.
According to reports from network security
experts, the incident would have started with a phishing
campaign focused against two personal Air New Zeland accounts. This scam
ultimately caused the intrusion, so millions of user data from the reward
system could be exposed to the hackers.
Due to hysteria among potential affected users,
Air New Zeland has placed particular emphasis on the fact that users’ passport
data have not been breached. The airline received new complaints, mainly after
it was leaked that the New Zealand Privacy Commission was notified about the
incident since May 31, while affected users received the notice just a few
hours ago. In response, a company spokeswoman mentioned that the incident was
confirmed as a data
breach until Thursday night local time; “We want to offer
apologies to users affected by this intrusion,” the spokeswoman added.
The passport data of the users may have been stored
on the company’s website at the time they log in, as the home page has a
function to save the user’s data and that you do not have to register again if
you revisit the website. Passport scans may also be stored on the servers of
the Air New Zeland mobile app.
As a security measure, the airline’s network
security experts took control of the compromised accounts, as well as
announcing a thorough investigation to determine the exact causes of the
incident and the method used by hackers.
To prevent possible phishing attack attempts
that users may experience in the future, the airline recommends staying alert
and remembers that for no reason it will ask users for their personal data via
email.
Network security specialists at the International
Institute of Cyber Security (IICS) mention that companies that are typically
victims of data breaches cannot determine the full extent of an incident until
after conducting an investigation; until then, the loss of passport data
remains speculation, at least until the investigation is over.
