Singapore Airlines reveals that they have been affected by a data breach due to a software glitch and it has affected 284 members of its frequent flyer program. The personal details including passport and flight details were compromised.
The bug appeared in the website when changes were made to the company’s website on January 4th and enabled some of its Krisflyer members to view information of other travelers.
284 such cases were noticed during the review out of which 277 cases revealed the member’s name, email address, account number, membership tier status, Krisflyer miles, recent miles transactions, upcoming flights, and Krisflyer rewards. The remaining seven accounts might have had their passport details compromised. However, no changes were made to the members’ accounts and no credit card details were compromised.
A company spokesperson stated that no external parties were involved in the data breach and it was only due to the software bug. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, and the issue was resolved instantly.
All affected customers would be contacted immediately and they have voluntarily informed Singapore’s Personal Data Protection Commission about the data breach.
According to Personal Data Protection Act, those companies that have been found to have breached imposed rules can be fined up to S$10,000 (US$7,325) per customer complaint or face a maximum penalty of S$1 million (US$732,532).
A customer had claimed that she was able to view some other customer’s personal data while logging into her Krisflyer account using her user ID and password. These details included the other member’s upcoming trip, destination and departure date, and also their recent transactions. When the customer reported to the customer center, she was told by the agent that the airline was performing a system upgrade and instructed her to log out of the account and log back in after 24 hours. This is actually something unexpected from a big company like Singapore Airlines.
Singapore has a Cybersecurity Bill, passed in February last year, that outlines a legal framework addressing the management of the country’s security infrastructure, including the protection of ICT systems operated by nine critical information infrastructure (CII) sectors. These include the government, banking and finance, energy, water, and aviation, which is covered under the transport sector. Under the bill, CII operators are to ensure their systems are adequately protected by cyberattacks.