Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
67108 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

#254376 9-Aug-2019 15:54
Send private message

Air New Zealand sent out emails to a number of AirPoints users about a possible breach, resulting of a phishing attack that managed to gain access to a couple of staff accounts.

 

While they say passwords and credit card numbers were not leaked, I am always on the side of "change it now".

 

While at it, remember to not re-use passwords between different services.

 





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
5813 posts

Uber Geek

Trusted
Geekzone
Lifetime subscriber

  #2293040 9-Aug-2019 15:54
Send private message

Allow me to introduce you folks to our new travel community: TravelTalk NZ.

 

We hope to see you there!

 





I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



612 posts

Ultimate Geek

Lifetime subscriber

  #2293047 9-Aug-2019 16:04
Send private message

Interesting, I don't seem to have received the given email. Thanks for the notification, @freitasm. I've changed my AirNZ password.


 
 
 
 




BDFL - Memuneh
67108 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2293049 9-Aug-2019 16:05
Send private message

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...





2734 posts

Uber Geek

Trusted

  #2293052 9-Aug-2019 16:11
Send private message

What timing as I had just gone through the (huge) list of services in LastPass (changed this master password too), and changed all my passwords just last night!

 

They still don't mention if passport details are leaked or not.





Sony

 

--

 

NZ TechBlog Follow me on Twitter | My Geekzone blog | Sharesies Referral | Electric Kiwi Referral | UberEats Referral Code: eats-17atx


612 posts

Ultimate Geek

Lifetime subscriber

  #2293053 9-Aug-2019 16:15
Send private message

freitasm:

 

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...

 

 

Your point re actual extent not known until later is the reason why I'd have thought Air NZ would have erred on the side of caution by sending out this email to all their members.


5930 posts

Uber Geek


  #2293055 9-Aug-2019 16:16
Send private message

https://www.tvnz.co.nz/one-news/new-zealand/air-new-zealand-data-breach-over-100-000-airpoints-customers-potentially-affected

 

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.




BDFL - Memuneh
67108 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2293057 9-Aug-2019 16:18
Send private message

RunningMan:

 

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

 

 

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

 

As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.





 
 
 
 


272 posts

Ultimate Geek

Lifetime subscriber

  #2293079 9-Aug-2019 16:24
Send private message

freitasm:

RunningMan:


Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.



"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.


As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.



Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

148 posts

Master Geek


  #2293088 9-Aug-2019 16:38
Send private message

dauckland:
freitasm:

 

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

 


Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

 

Got the same email, changed my password immediately. The fact that they are not telling us what specific details could have been accessed is pretty bad, does not let me plan accordingly in any way. I've also emailed them for details on what exactly could have been potentially leaked as "information relating to membership profile" can be incredibly broad. As of right now I have to assume everything about me associated with Airpoints and AirNZ, bar credit card info, is now compromised. Someone could easily do full identity fraud with passport validation with that data.


6 posts

Wannabe Geek


  #2293151 9-Aug-2019 18:55
Send private message

The Privacy Commissioner was notified on the 31st July, but affected Airpoints members were only notified on the 9th August.

 

I've not seen anything to account for the delay between when they knew about the issue and when they decided to inform those affected, 9 days later.

 

For frequent fliers, there is a mass of Personally identifiable information (PII) that Air NZ will have which could not just have personal impact but commercial impacts too like the following example.

 

(I can't post links yet, but Google "private jet data takeover revealed" and you'll get the CNBC report - "A corporate jet suggested Buffett’s energy deal was in works days before it was announced")

 

They also say that people need to be only "on the lookout for phishing emails over the next few months". Depending on what PII was covered by the breach, some of it, e.g. date of birth, addresses, passport info, etc. could remain valid for years.

 

Similarly there might be more than just phishing risks, the breached data could be enough for people to make loan / credit card applications and other use of identity information.

 

I'd keep an eye on your credit report, e.g. using a free account on Credit Simple (easy to find with Google).


1978 posts

Uber Geek

Lifetime subscriber

  #2293175 9-Aug-2019 19:44
Send private message

@freitasm   GKZ gets a mention...

 

here

 

edit...the mention seems to be quoting your comments above :-)


6 posts

Wannabe Geek


  #2293185 9-Aug-2019 19:52
Send private message

Goosey:

 

@freitasm   GKZ gets a mention...

 

here

 

edit...the mention seems to be quoting your comments above :-)

 

 

Several of the comments are from people who have contacted Air NZ and were told:

 

  • "name, occupation, employer, more important my email, address and phone number. Plus Airpoints status"
  • "name, job title, employer, address, email, phone number, Airpoints status, points balance and account number"

 


319 posts

Ultimate Geek

Lifetime subscriber

  #2293243 9-Aug-2019 20:36
Send private message

A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

6 posts

Wannabe Geek


  #2293245 9-Aug-2019 20:40
Send private message

larknz: A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

 

Even if you don't add it to the Airpoints website, if you fly internationally then they will need to capture your passport information. If your flight is linked to your Airpoints account then they will have your passport info linked.


36 posts

Geek


  #2293339 10-Aug-2019 04:33
Send private message

 

 

From the wording, it appears it was a report that was accessed via an Email/Onedrive account. I don't know any more than you do, but I would doubt that the bad actor had any access to Internal systems. The system that holds credit card hashes is heavily protected and audited, the one that holds passport information is also restricted and able to be audited. My guess is that the delay was AirNZ going through every audit log to see if there was any additional breaches. If you were told one thing, and ten days later told another, you'd go through the roof. They're trying to be sure. 

 

the security team is dedicated, staff are trained every year on phishing scams and what to watch for, it was likely a VERY complicated scam or simply inattention which is a very human trait. 

 

 

 

 

 

 

 

 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.