Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Customers could face long-term privacy issues after Air New Zealand data breach

Sunday, 11 August 2019

Air New Zealand hopes to have its first electric airplane ordered within a decade.

A data breach has exposed up to 112,000 Air New Zealand Airpoints customers to long-term privacy concerns.

Air New Zealand is facing questions around how the data breach happened and why it took the company over nine days to notify customers compromised by the phishing attack.

The company notified the Privacy Commissioner about the breach on July 31, however, customers were only told about the attack on August 9.

An Air New Zealand spokeswoman said the commissioner had been informed about the breach while it was still in the process of confirming details of the attack.

**READ MORE:

* Tracking the data breach that gave crooks my credit card details

* Fears Airpoints members' personal information leaked in data breach

Air New Zealand is facing questions over its handling of a data breach impacting up to 112,000 customers.
Air New Zealand is facing questions over its handling of a data breach impacting up to 112,000 customers.

* Wellingtonians have personal information captured by hackers

* Compromised Word document caused data breach at Victoria University**

'In line with best practice, Air New Zealand notified the Privacy Commissioner of our investigation into a potential incident on 31 July,' she said.

'We received confirmation on Thursday last week of the customers potentially affected by this issue and on Friday we proactively contacted those who may have been impacted.'

Those customers received an email outlining the breach of information.

Exposed data included information associated with members' visible in internal documents, the spokeswoman said.

This varied by member and could include details such as Airpoints number, members' name and email.

'Passport details shared with us through an Airpoints member profile or through an online flight booking are not impacted,' she said.

'A very small number of limited passport details could have potentially been visible in internal documents, should these documents have been accessed.'

The spokeswoman did not provide details into how the phishing attack was successful but she said the company apologised to customers for the 'inconvenience'.

However, one cyber security expert said the attack could be more than an inconvenience for exposed customers.

Dr Panos Patros, a specialist in cyber security at the University of Waikato, said the phishing attack could have long term consequences for people who have lost control of their own information.

'Once something is out there it is virtually impossible to disappear so, at this point, if its out there, its done.'

Patros said a good practice for those effected by the breach would be to change passwords frequently and to monitor credit cards.

'The problem is, the moment things are out there, then they can be used as a means to gain further information. Because now they have something of you so then they can use it in another attack or to confuse someone else.'

Patros said phishing was a social engineering technique rather than a hack.

'Which means that people do not hack into your data by breaking through algorithms. Phishing happens because we give out stuff.'

Victims might receive an email that looked legitimate and respond with usernames, passwords and other details.

Patros said there was some awareness of the potential risks however, New Zealand was less proactive than other countries.

'In Canada we had active training about how not to fall for this sort of thing,' he said.

'Just talking about it is not enough. We have to learn by mistake and the mistakes need to be in a controllable way.'

While protecting data can be difficult, Patros said people could minimise the data they shared with companies and organisations.

One of the things that is often used to confirm a person's identity was their mother's maiden name or the first school they went to, he said.

'At a glance this is information that appears completely private but then you think, everybody goes and posts this information on social media. So, its not difficult to piece together a profile of a person and then imitate them.'

What to do if you are a victim of phishing:

* Change passwords regularly

* Monitor credit card accounts

* Don't put common security information on social media

* If you receive an official email, check email addresses and go to company websites independently of emailed links

* Delete suspect emails immediately