Air New Zeland was hacked; passengers’ personal information was leaked

A data breach incident has just been revealed at Air New Zeland airline that, according to network security experts, could have affected more than 110k members of Airponts, its frequent flyer rewards system. The compromised personal data include:

  • Full names
  • Address
  • Date of birth
  • Passport details, maybe

The number of affected users known so far is about 3% of the 3.2 million Airpoints program members.

The airline is not yet clear about how the incident occurred, but they are already in the process of notifying affected users via email, assuring them that their account access password and financial details have not been compromised. However, some members of the Airpoints program remain concerned, as they believe that the airline may have provided further reports in its message, in addition to the airline’s handling of the incident did not satisfy all users: “I think the airline hasn’t revealed everything it knows, that makes me assume that my information might have been stolen,” one of those affected complained.

According to reports from network security experts, the incident would have started with a phishing campaign focused against two personal Air New Zeland accounts. This scam ultimately caused the intrusion, so millions of user data from the reward system could be exposed to the hackers.

Due to hysteria among potential affected users, Air New Zeland has placed particular emphasis on the fact that users’ passport data have not been breached. The airline received new complaints, mainly after it was leaked that the New Zealand Privacy Commission was notified about the incident since May 31, while affected users received the notice just a few hours ago. In response, a company spokeswoman mentioned that the incident was confirmed as a data breach until Thursday night local time; “We want to offer apologies to users affected by this intrusion,” the spokeswoman added.

The passport data of the users may have been stored on the company’s website at the time they log in, as the home page has a function to save the user’s data and that you do not have to register again if you revisit the website. Passport scans may also be stored on the servers of the Air New Zeland mobile app.

As a security measure, the airline’s network security experts took control of the compromised accounts, as well as announcing a thorough investigation to determine the exact causes of the incident and the method used by hackers.

To prevent possible phishing attack attempts that users may experience in the future, the airline recommends staying alert and remembers that for no reason it will ask users for their personal data via email.

Network security specialists at the International Institute of Cyber Security (IICS) mention that companies that are typically victims of data breaches cannot determine the full extent of an incident until after conducting an investigation; until then, the loss of passport data remains speculation, at least until the investigation is over.