Singapore Airlines hit by a data breach compromising private data of 285 customers

• Personal information of 278 customers was compromised which involved details such as customers’ names, email addresses, account numbers, membership tier statuses, KrisFlyer miles, recent miles transactions, upcoming flights, and KrisFlyer rewards.
• The incident also compromised the passport details of 7 customers. However, no credit card details were compromised.

A software glitch in Singapore Airlines website caused a data breach impacting 285 customers. Out of which 278 customers’ private data such as customers’ names, email addresses, account numbers, membership tier statuses, KrisFlyer miles, recent miles transactions, upcoming flights, and KrisFlyer rewards were compromised.

The remaining seven customers’ passport details were compromised, a spokesperson for Singapore Airlines said. However, the spokesperson confirmed that no changes were made to customers’ accounts and no credit card details were compromised.

What happened?

“The ‘software bug’ surfaced after changes were made to the Singapore carrier's website on January 4 and enabled some of its KrisFlyer members to view information belonging to other travelers,” Singapore Airlines told ZDNet in an email.

A spokesperson for Singapore Airlines confirmed the breach and told that the incident occurred between 2 am and 12.15 pm, Singapore time, on 4 January 2019. He further confirmed that this was a one-off software bug and was not the result of an external party's breach of their systems or members' accounts.

Upon learning the incident, the SIA reported the incident to Singapore's Personal Data Protection Commission. The airline said that it will notify all the affected customers about the breach.

One customer could see personal details of someone else

Earlier the same day, an SIA customer named Tricia Leo reported that she was able to view someone else's private data after logging into her KrisFlyer account using her login credentials.

These details included the other member's upcoming trip, such as the destination and departure date, as well as his recent transactions, which includes the number of miles he has converted using points from his credit card and a recent trip he took to Tokyo.

When Leo contacted SIA’s customer hotline, the call agent informed her that the airline was performing a system upgrade and instructed her to log out the account and log back in after 24 hours.

“Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing?” Leo said.

“It's frustrating that we're held hostage by these companies that demand our personal details, but don't keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured,” Leo added.

Leo further said that the governments need to impose fines and implement policies that will make these companies take security more seriously. Call centers, such as SIA's, also should be better trained to deal with such incidents.

Notably, Singapore’s Personal Data Protection Commission oversees issues related to personal data protection and enforces the country's Personal Data Protection Act. Under this act, the companies that are found to have breached the stipulated rules can be fined up to S$10,000 (US$7,325) per customer complaint or face a maximum penalty of S$1 million (US$732,532).