Singapore Airlines data breach affects 285 accounts, exposes travel details

Singapore carrier points to "a software bug" as the cause of the breach that occurred when changes were made to its website, compromising personal data of 285 customers including seven whose passport details were exposed.
Written by Eileen Yu, Senior Contributing Editor

[Update: Following its initial statement, Singapore Airlines has updated the number of affected accounts from 284 to 285.]

Singapore Airlines (SIA) says a software glitch was the cause of a data breach that affected 285 members of its frequent flyer programme, compromising various personal information including passport and flight details. 

The "software bug" surfaced after changes were made to the Singapore carrier's website on January 4 and enabled some of its Krisflyer members to view information belonging to other travellers, SIA told ZDNet in an email. 

A spokesperson said a review of its system logs revealed 285 such cases, of which 278 might have exposed the member's name, email address, account number, membership tier status, Krisflyer miles, recent miles transactions, upcoming flights, and Krisflyer rewards.   

The remaining seven accounts might have had their passport details compromised, said the spokesperson, who added that no changes were made to the members' accounts and no credit card details were compromised. 

"We have established that this was a one-off software bug and was not the result of an external party's breach of our systems or members' accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved," the spokesperson said. 

The airline said it will contact all affected customers and has "voluntarily informed" Singapore's Personal Data Protection Commission about the data breach.

The commission oversees issues related to personal data protection and enforces the country's Personal Data Protection Act, in which companies that are found to have breached stipulated rules can be fined up to S$10,000 (US$7,325) per customer complaint or face a maximum penalty of S$1 million (US$732,532).

ZDNet earlier today reported that an SIA customer was able to view someone else's personal data after logging into her Krisflyer account using her user ID and password. These details included the other member's upcoming trip, such as the destination and departure date, as well as his recent transactions, which included the number of miles he had converted using points from his credit card and a recent trip he took to Tokyo. 

Upon contacting SIA's customer hotline, the SIA customer was informed by the call agent that the airline was performing a system upgrade and instructed to log out of her account and log back in after 24 hours. "Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing?" the customer had said. 

"It's frustrating that we're held hostage by these companies that demand our personal details, but don't keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured."

Singapore also has a Cybersecurity Bill, passed in February 2018, that outlines a legal framework addressing the management of the country's security infrastructure, including the protection of ICT systems operated by nine critical information infrastructure (CII) sectors. These include the government, banking and finance, energy, water, and aviation -- which is covered under the transport sector --  among others. Under the bill, CII operators are to ensure their systems are adequately protected by cyberattacks.

Related Coverage

Singapore Airlines customer logs into account, sees stranger's personal data

Frequent flyer member successfully logs into her Krisflyer account using her user ID and password, but sees personal details of someone else, including the booking reference for an upcoming trip, recent activities, and personal email.

Singapore Airlines employees urged to innovate, fail without fear

Through its digital innovation lab, airline carrier hopes to encourage the development--and even failure--of new ideas to improve service levels, without any concerns of how it will impact employees' career postures.

Nigerian airline Arik Air may have leaked customer data

Updated: It was a month before the data, contained in a leaky Amazon S3 bucket, was secured.

Brazilian carrier Latam Airlines offers inflight Wi-Fi

The country's largest airline is offering the service for its domestic flights.

Cathay Pacific data breach hits 9.4 million people

Passport details such as name, nationality, date of birth, and passport number were accessed, with the airline only reaching out to its frequent flyers and registered users.

Editorial standards