Singapore Airlines (SIA) says a software glitch was the cause of a data breach that affected 284 members of its frequent flyer programme, compromising various personal information including passport and flight details.
The “software bug” surfaced after changes were made to the Singapore carrier’s website on January 4 and enabled some of its Krisflyer members to view information belonging to other travellers, SIA told ZDNet in an email.
A spokesperson said a review of its system logs revealed 284 such cases, of which 277 might have exposed the member’s name, email address, account number, membership tier status, Krisflyer miles, recent miles transactions, upcoming flights, and Krisflyer rewards.
The remaining seven accounts might have had their passport details compromised, said the spokesperson, who added that no changes were made to the members’ accounts and no credit card details were compromised.
“We have established that this was a one-off software bug and was not the result of an external party’s breach of our systems or members’ accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved,” the spokesperson said.
The airline said it would contact all affected customers and had “voluntarily informed” Singapore’s Personal Data Protection Commission about the data breach.
The commission oversees issues related to personal data protection and enforces the country’s Personal Data Protection Act, in which companies found to have breached stipulated rules can be fined up to S$10,000 (US$7,325) per customer complaint or face a maximum penalty of S$1 million (US$732,532).
ZDNet earlier today reported that an SIA customer was able to view someone else’s personal data after logging into her Krisflyer account using her user ID and password. These details had included the other member’s upcoming trip, including the destination and departure date, as well as his recent transactions such as the number of miles he converted using points from his credit card and a recent trip he took to Tokyo.
Upon contacting SIA’s customer hotline, she was informed by the call agent that the airline was performing a system upgrade and instructed to log out of her account and log back in after 24 hours. “Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing?” the customer had said. “It’s frustrating that we’re held hostage by these companies that demand our personal details, but don’t keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured.”
Singapore also has a Cybersecurity Bill, passed in February 2018, that outlines a legal framework addressing the management of the country’s security infrastructure, including the protection of ICT systems operated by nine critical information infrastructure (CII) sectors. These include the government, banking and finance, energy, water, and aviation, which is covered under the transport sector. Under the bill, CII operators are to ensure their systems are adequately protected by cyberattacks.