The data breach in Singapore Airlines affects 284 accounts & exposed travel details

Singapore Airlines

Singapore carrier points to “a software bug ” as the cause of the infringement that occurred when changes were made to its website, affecting the personal data of 284 customers, including seven whose passport details have been exposed.

According to Singapore Airlines (SIA), a glitch in software was the cause of a data breach affecting 284 members of its frequent flyer program, compromising various personal information including, passport and flight information.

After changes to the website of the Singapore carrier on 4 January, the “software bug ” surfaced and allowed some of its Krisflyer members to view information from other travelers, SIA told ZDNet in an email. A spokesman said that a review of his system logs revealed 284 such cases, 277 of which could have shown the member’s name, email address, account number, membership level status, Krisflyer miles, recent miles, upcoming flights and Krisflyer rewards. Employees of Singapore Airlines urged to innovate, fail without fear.

Through their digital innovation laboratory, the airline carrier hopes to encourage the development-and even failure-of new ideas to improve service levels, without any concerns about how it will affect the career of employees. The remaining seven accounts could have compromised their passport details, the spokesman said, adding that no changes were made to the accounts of the members and that no credit card details were compromised.

“We found that this was a one-off software bug and was not the result of an external party’s breach of our systems or the accounts of our members. The incident took place between 2 a.m. and 12.15 p.m., Singapore time, on 4 January 2019, when the problem was resolved, ” the spokesman said. The airline stated that it would contact all affected customers and that the Singapore Personal Data Protection Commission had “voluntarily informed ” about the data breach.

The Commission oversees issues relating to the protection of personal data and enforces the Personal Data Protection Act of the country in which companies found to have breached the stipulated rules can be fined up to S$10,000 (US$ 7,325) per complaint to the customer or face a maximum penalty of S$1 million (US$ 732,532).

Earlier today, a SIA customer was able to view the personal data of someone else using their user ID and password after logging into their Krisflyer account. These details included the next trip of the other member, including the date of departure and destination, as well as his recent transactions, such as the number of miles he converted using points from his credit card and a recent trip to Tokyo.

When she contacted the SIA customer hotline, the call agent informed her that the airline was upgrading the system and instructed her to log out of her account and log in after 24 hours. “For a company as large as Singapore Airlines, such incidents are not acceptable. How can you upgrade your system without proper testing?’ said the customer.

“It’s frustrating that we’re held hostage by those companies that require our personal information, but don’t keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secure.

“Singapore also has a Cybersecurity Bill, passed in February 2018, outlining a legal framework for managing the country’s security infrastructure, including the protection of ICT systems in nine key information infrastructure (CII) sectors. These include government, banking and finance, energy, water and aviation covered by the transportation industry. Under the bill, CII operators must ensure that their systems are properly protected against cyberattacks.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.