A Singapore Airlines (SIA) customer has reported an incident in which she was able to view someone else's personal data after successfully logging into the carrier's frequent flyer programme using her user ID and password.
The Krisflyer member logged into the carrier's website on Friday and noticed the site was laggier than usual. She opened a second page when the first appeared to have stalled and when both pages loaded up, she saw another user's personal details on one while the other contained a combination of that user's data and hers.
"I saw that my miles were significantly lower and I had a different Elite status than what was shown on screen, so I initially thought my account had been hacked," said Tricia Leo, who is a marketing executive based in Singapore. She told ZDNet she logged into the site earlier this week and did not encounter any security issues then.
Leo proceeded to select the Profile function and saw a different name, "Robert Sia". While details of two upcoming trips were correctly listed under My Bookings, the email details listed in the account belonged to the other user, Robert Sia.
"So, that meant that if I made any changes to my account or flight, those personal details of mine would be emailed to a total stranger," she noted, adding that the page that contained a mixture of both their data had included her phone number and passport number, but his email.
On the page that contained mostly that person's personal data, Leo was able to view the booking reference number of his upcoming trip, including the destination and departure date, as well as his recent transactions such as the number of miles he converted using points from his credit card and a recent trip he took to Tokyo. Clicking on the Profile option on this page required an OTP (One-Time Password), which presumably was sent to the person's mobile number.
SIA passengers can retrieve details of their flight bookings by entering the booking reference number and last name on the website.
Concerned, Leo called up SIA's customer hotline and was informed by the call agent that the airline was performing a system upgrade. The agent then instructed her to log out of her account and log back in after 24 hours. When she queried about the potential security breach and asked if someone else then could have accessed her personal details, the agent said SIA would respond in three to five days and again asked that she logged out of her account and log back in after a day.
[Update: Leo said a representative from the airline called Saturday afternoon to say the security glitch had been due to a "software bug" and her personal data had not been compromised. The agent added that "a few people" also were affected by the incident.]
Leo described the first agent's tone as "dismissive" and disproportionate to the severity of the matter. "She sounded like she was trying to brush me off and treated the issue rather matter-of-factly, She didn't even offer to explain the situation to me," she said.
"They have my passport details on file, including the expiry date, as well as my travel details. I think it's serious enough to warrant a better response than the one I got, especially since my friend's travel details also are in my account as he's a redemption nominee."
SIA has been contacted about the matter, but the Singapore airline has yet to respond. ZDNet also called the carrier's customer hotline and, this time, the call agent acknowledged Leo should not have been able to view someone else's data and the incident was a serious matter.
The call agent said SIA had not alerted its customer support agents of any security issues and was not aware of any other customers who reported similar encounters. He added that the company carried out monthly system upgrades, but these should not lead to any security-related issues such as the one Leo experienced.
He advised anyone facing similar incidents to take screenshots and send these to SIA, so the airline's tech team can investigate.
Leo said: "Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing? It's frustrating that we're held hostage by these companies that demand our personal details, but don't keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured."
"I was also affected by the recent Marriott security breach and all you get is a one-pager without any specific details on how we can rectify the problem," she noted. "It's starting to seem like there's a security breach almost every other week now and we've come to accept that as a norm when that shouldn't be the case."
She added that governments should impose fines and implement policies that will make these companies take security more seriously. Call centres, such as SIA's, also should be better trained to deal with such incidents, she said.
The Singapore airline last February announced plans to launch a digital wallet based on blockchain technology, allowing its Krisflyer frequent flyer members to use their miles to pay for purchases at partnering retailers. It said the e-wallet will run on a "private blockchain" operated by SIA and involve only merchants and partners.
Hong Kong airline Cathay Pacific in October reported a security breach that affected 9.4 million customers and compromised data such as name, nationality, date of birth, and passport number, including 860,000 passport numbers and 245,000 Hong Kong identity card numbers.
Through its digital innovation lab, airline carrier hopes to encourage the development--and even failure--of new ideas to improve service levels, without any concerns of how it will impact employees' career postures.
Updated: It was a month before the data, contained in a leaky Amazon S3 bucket, was secured.
The country's largest airline is offering the service for its domestic flights.
Passport details such as name, nationality, date of birth, and passport number were accessed, with the airline only reaching out to its frequent flyers and registered users.