Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Fears Airpoints members' personal information leaked in data breach

Friday, 9 August 2019

A phishing scam affecting two staff accounts at Air New Zealand has resulted in customers
A phishing scam affecting two staff accounts at Air New Zealand has resulted in customers' data being breached.

Air New Zealand's data breach may have affected up to 112,000 Airpoints customers and some are concerned personal information including their passport details, addresses and date of birth may have been exposed to hackers.

Air New Zealand said on Friday about 3.5 per cent of its 3.2 million Airpoints members could have been affected by the breach, around 112,000 people.

Exactly what data has been compromised is unclear, but an email sent to affected customers earlier on Friday assured them account passwords and credit card details were not affected.

Some Airpoints members are worried about what the email didn't say, and anger was mounting on Friday evening as affected customers attacked Air New Zealand's handling of the data breach.

One affected customer, who didn't want to be named for fear his private information had been released, told Stuff the lack of detail from the airline made him assume his passport details had been stolen.

**READ MORE:

Ticketmaster warns New Zealand could be affected by data security breach

ASB warns 'smishing' scam is underway

Tens of thousands of NZ nursing union email addresses hacked in phishing scam**

'So far I've been stonewalled about the details,' he said, after making calls to Air New Zealand's customer service line.

Other Airpoints customers who received the email confirmed Airpoints held a trove of personal information including passport numbers, and the passport numbers of family members who were linked through Airpoints.

'I am mortified by Air New Zealand's negligence,' an Airpoints customer told Stuff

'I have asked them exactly what personal details they have released but no response yet. I am a Gold member and potentially details like name, address, contact phone numbers, job title, employer, credit card details, passport details, gifting register, travel preferences etc have been leaked.'

The airline claimed a phishing scam affecting two staff accounts at Air New Zealand resulted in the breach, and personal information from customer membership profiles may have been visible to hackers in Air New Zealand's internal documents.

Were you affected? Email newstips@stuff.co.nz

The Office of the Privacy Commissioner was made aware of the breach on July 31, a spokesman said.
The Office of the Privacy Commissioner was made aware of the breach on July 31, a spokesman said.

The airline has emailed some Airpoints users individually, and denied passport information was exposed in the breach.

'Some personal information relating to your membership profile could have been potentially visible in our internal documents. This could include your name, job title and employer, mailing address, email address, phone number, Airpoints status, Status Points balance and Airpoints account number,' an Airpoints customer was told.

Other Airpoints members questioned why the airline had informed the Privacy Commissioner about the breach on July 31, but only emailed them on Friday.

Passport details can be stored on the Air New Zealand website when customers log in to check in and tick the box asking if they want their data saved for next time. Scanned copies of passports can also be uploaded to the Air New Zealand app.

The two affected staff accounts had been secured, Air New Zealand said, and the airline was conducting a thorough investigation into how the breach occurred.

An Air New Zealand spokeswoman said in an email that it had received confirmation of the breach on Thursday and informed customers.

She said the airline's IT team 'immediately secured the two affected staff accounts' and it was strengthening its security processes to prevent similar incidents.

'Unfortunately, malicious attacks of this nature are becoming more common.'

Air New Zealand 'apologised to our customers for any inconvenience'.

Air New Zealand was encouraging customers to be on alert for a phishing email over the next few months.

Spokesman for the Office of the Privacy Commissioner, Charles Mabbett, said it had been notified of the data breach on July 31.

He was unable to provide further details about what had occurred.

'We have just been told about it and we trust that they are following data breach best practice in containing this breach.

A thread dedicated to discussing the breach on website Geekzone contains comments from customers who believe other personal data may have been breached.

'There is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue,' said one commenter.

' … usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone,' another said.

Stuff asked Air New Zealand to confirm whether details like phone number, address, date of birth and passport information might have been compromised. 

'Some information associated with member's profiles may have been visible in our internal documents - should these documents have been accessed. This will vary by member and could include details such as Airpoints number, members name and email, as an example,' the email said.

'If someone feels they have been harmed by this data breach they can always make a complaint to our office,' the Air New Zealand spokesman said.