A Singapore Airlines (SIA) customer reported an incident in which she was able to view another person's personal data after successfully connecting to the carrier's frequent flyer program with the help of his username and password.
The Krisflyer member logged into the carrier 's website on Friday and noticed that the site was slower than usual. She opened a second page when the first one seemed to be blocked. When the two pages were loaded, she saw the personal information of another user on one, while the other contained a combination of that user's data and hers.
"I found that my miles were way lower and that my Elite status was different from the one on the screen, so I thought my account had been hacked," said Tricia Leo, director of marketing. in Singapore. She told ZDNet that she was connected to the site earlier this week and that she had not yet encountered any security issues.
Leo then selected the Profile function and saw another name, "Robert Sia". Although the details of two upcoming trips are correctly listed in My Bookings, the details of the email address appearing in the account belonged to the other user, Robert Sia.
"This means that if I made any changes to my account or my theft, this personal information would be sent to a stranger by e-mail," she said, adding that the page containing a mixture of their data contained his phone. number and passport number, but his email.
On the page containing this person's personal data, Leo was able to display the booking reference number of his next trip, including the destination and departure date, as well as his recent transactions, such as the number of miles converted using points from his account. credit card and a recent trip he took to Tokyo. By clicking on the Profile option on this page, a unique password (OTP) was requested, which was probably sent to the person's mobile phone number.
SIA passengers can retrieve details of their flight bookings by entering the booking reference and last name on the website.
Worried, Leo called SIA's customer support line and was informed by the call agent that the airline was performing a system upgrade. The agent then asked him to log out of his account and log back in after 24 hours. When asked if another person could have access to his personal data, the security officer replied that SIA would respond within three to five days. She again asked that she log out of her account and reconnect after a day.
[Update: Leo said a representative from the airline called Saturday afternoon to say the security glitch had been due to a “software bug” and her personal data had not been compromised. The agent added that “a few people” also were affected by the incident.]
Leo called the tone of the first agent "disdainful" and disproportionate to the seriousness of the case. "It seemed like she was trying to get rid of me and treat the issue fairly objectively, she did not even offer to explain the situation," she said. . "They have the details of my passport in the file, including the expiry date, as well as the details of my trip.I think it's serious enough to warrant a better response than the one I'm having. I have, especially that the travel details of my friend are also on my account as he a redemption candidate.
SIA has been contacted about this, but the Singaporean airline has not yet responded. ZDNet also called the operator's helpline and this time the call agent acknowledged that Leo should not have been able to consult the Someone else's data and that the incident would be a serious matter.
He stated that SIA had not alerted customer agents of security issues and that he was not aware of any other customer reporting similar incidents. He added that the company was doing monthly upgrades to the system, but they should not pose any security issues, such as Leo's.
He advised anyone facing similar incidents to take screenshots and send them to the SIA, so that the airline's technical team can investigate.
Leo said: "Such incidents are unacceptable to a company as large as Singapore Airlines.How to upgrade a system without conducting proper testing? It's frustrating to find that we are being held hostage by those companies that require our personal data, but do not keep it When you ask me for personal data, I expect you to have the technology and systems in place to protect it.
"I've also been affected by Marriott's recent security hole and you only get a one-page document unspecified on how we can rectify the problem," she noted. "It's starting to look like a security hole almost every two weeks and we've come to accept it as a standard when it should not be."
She added that governments should impose fines and implement policies that would allow these companies to take safety more seriously. Call centers, such as AIS, should also be better trained to deal with such incidents, she said.
Last February, the Singaporean airline announced plans to launch a blockchain-based digital portfolio, allowing Krisflyer members to earn miles to pay for their purchases at their partner retailers. He added that the electronic wallet would be powered by a "private channel" managed by the SIA and involving only merchants and partners.
In October, Cathay Pacific Airlines in Hong Kong reported a security breach that affected 9.4 million customers and compromised data such as name, nationality, date of birth and passport number, including 860,000 passport numbers and 245,000 Hong Kong identity card numbers.