Tracking the data breach that gave crooks my credit card details

Saturday, 10 August 2019

Air New Zealand told customers on Friday two of its staff had fallen for a phishing scam and revealed data about 112,000 Airpoints customers.

OPINION: Overseas crooks managed to secure the credit card data of my credit card, and my wife's credit card, from a New Zealand business and tried to steal money from us.

Westpac's fraud detection systems blocked the transactions, but data breaches such as ours, and that of around 112,000 Air New Zealand airpoints customers, has shone the spotlight on the wave of cyber-crime directed at ordinary people going about their daily lives.

It wasn't obvious my wife and I would ever learn how our data got into the hands of overseas crooks, but I went on a week-long detective mission to find out.

It left me in no doubt about how badly our data-protection laws need updating, as currently there is only a voluntary code requiring businesses to tell customers when their data privacy has been breached.

* Ticketmaster warns New Zealand could be affected by data security breach

* ASB warns 'smishing' scam is underway

* Tens of thousands of NZ nursing union email addresses hacked in phishing scam**

Air New Zealand notified the Privacy Commission on July 31, but it was not until Friday, August 9 that Air NZ emailed over 112,000 customers to tell them some of their personal information had been compromised.

One angry AirNZ customer vented their frustration about how long their data was in the hands of crooks before they were told.

The emails put some customers in a state of panic. They did not specify which of their data had been handed over by the two Air New Zealanders, leaving them guessing what they should do to protect themselves.

Only by pushing directly for more information have people learnt their name, contact information (including email address) and Airpoints account number 'may' have been visible to criminals.

'Airpoints passwords are not impacted,' one Stuff reader was told directly after demanding more information.

And some are not happy their data was out there (possibly for sale on the 'dark web') for days before they were informed.

The government recognises the voluntary privacy breach guidelines on the Privacy Commission website is not adequate.

Andrew Little's Privacy Act bill had its second reading on Wednesday, and will, when passed, make it an offence for businesses not to tell customers of data breaches 'as soon as practicable' after learning of the breach.

I am not sure when my credit card data was breached, though the transactions attempted on our cards were on Saturday, August 3, and Sunday, August 4.

'We believe both cards were compromised at a self-service vending machine that both you and your wife used on separate occasions,' Westpac spokesman Max Bania told us.

'The transactions were showing as overseas and based on other account activity we established it wasn't physically possible for you to be overseas.'

I was amazed. I did not recall using a vending machine with my card, and it must have been long enough ago for overseas crooks to buy our data, and plan their attack, which involved a small tester transaction (the first of which went through), followed by an attempt at a near $400 transaction (which was blocked by Westpac).

It wasn't just us.

'Subsequently, our fraud system identified a high frequency of fraud at the spend merchant and auto-blocked the cards,' Bania said.

My wife and I had got pretty close to working out where the data breach was on our own.

We do not shop in the same places often, except at a particular Countdown.

Once the bank told us it believed the breach was through a vending machine, we could join the dots. We had only ever used one vending machine with our cards, and it was in the lobby of that Countdown. It was a Flixbox DVD vending machine.

I called the company's 0800 number, and was told the company had only heard of an issue 'a day or two ago'.

'We were contacted by the ANZ Bank notifying us they noticed suspicious activity, which they believed could be from one of our kiosks. A card skimming device was suggested,' Flixbox's Cliff Hopkins then emailed me.

'As a precaution all kiosks using that brand of payment terminal were deactivated. We have ordered new payment terminals and initiated a software update to accommodate the new brand terminals. Only the kiosks that ran this brand of payment terminal could have been affected, so is not a network wide issue.'

And, he said: 'Our understanding is the banks will contact any affected card holders.'

I do not believe Flixbox knew my email address, or other contact details (it was a vending machine), but I could not find a warning about the suspected data breach on the Flixbox Facebook page or website.

My experience indicates neither my bank, nor the business where my data was compromised, was going to tell me how my data was lost without my detective work.

The Privacy Act requires your bank or card issuer to tell you any information it holds on you when you ask for it, but it's not keen.

It wants its anti-fraud team working on detecting fraud, not writing reports for them.

'When we believe an account has been compromised, we take immediate steps to contact customers and arrange a replacement card,' Bania said.

'However, for operational reasons, we generally would not provide detail on the circumstances around how it was compromised.'

Quietly, behind the scenes, a tidy-up operation is launched.

'If we are the acquiring bank, we would require the merchant to order a forensic specialist review of their systems and processes, to see how this occurred and prevent it happening again,' Bania said.

All the compromised credit cards would be reported to the 'scheme' (Mastercard or Visa) to be blocked.