A good time to change your Air NZ password

Forums › Travel (planes, train, cruise) › A good time to change your Air NZ password

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#254376 9-Aug-2019 15:54

Air New Zealand sent out emails to a number of AirPoints users about a possible breach, resulting of a phishing attack that managed to gain access to a couple of staff accounts.

While they say passwords and credit card numbers were not leaked, I am always on the side of "change it now".

While at it, remember to not re-use passwords between different services.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2 | 3

6028 posts

Uber Geek
+1 received by user: 461

Trusted

Geekzone

Lifetime subscriber

#2293040 9-Aug-2019 15:54

Allow me to introduce you folks to our new travel community: TravelTalk NZ.

We hope to see you there!

I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

KiwiSurfer

1722 posts

Uber Geek
+1 received by user: 993

ID Verified

Lifetime subscriber

#2293047 9-Aug-2019 16:04

Interesting, I don't seem to have received the given email. Thanks for the notification, @freitasm. I've changed my AirNZ password.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2293049 9-Aug-2019 16:05

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

sonyxperiageek

2984 posts

Uber Geek
+1 received by user: 397

Trusted

#2293052 9-Aug-2019 16:11

What timing as I had just gone through the (huge) list of services in LastPass (changed this master password too), and changed all my passwords just last night!

They still don't mention if passport details are leaked or not.

Sony

KiwiSurfer

1722 posts

Uber Geek
+1 received by user: 993

ID Verified

Lifetime subscriber

#2293053 9-Aug-2019 16:15

freitasm:

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...

Your point re actual extent not known until later is the reason why I'd have thought Air NZ would have erred on the side of caution by sending out this email to all their members.

RunningMan

9184 posts

Uber Geek
+1 received by user: 4834

#2293055 9-Aug-2019 16:16

https://www.tvnz.co.nz/one-news/new-zealand/air-new-zealand-data-breach-over-100-000-airpoints-customers-potentially-affected

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2293057 9-Aug-2019 16:18

RunningMan:

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

dauckland

290 posts

Ultimate Geek
+1 received by user: 27

Trusted

Lifetime subscriber

#2293079 9-Aug-2019 16:24

freitasm:
RunningMan:

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.

Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

littlehead

222 posts

Master Geek
+1 received by user: 102

#2293088 9-Aug-2019 16:38

dauckland:
freitasm:

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

Got the same email, changed my password immediately. The fact that they are not telling us what specific details could have been accessed is pretty bad, does not let me plan accordingly in any way. I've also emailed them for details on what exactly could have been potentially leaked as "information relating to membership profile" can be incredibly broad. As of right now I have to assume everything about me associated with Airpoints and AirNZ, bar credit card info, is now compromised. Someone could easily do full identity fraud with passport validation with that data.

Trumpkin

6 posts

Wannabe Geek
+1 received by user: 3

#2293151 9-Aug-2019 18:55

The Privacy Commissioner was notified on the 31st July, but affected Airpoints members were only notified on the 9th August.

I've not seen anything to account for the delay between when they knew about the issue and when they decided to inform those affected, 9 days later.

For frequent fliers, there is a mass of Personally identifiable information (PII) that Air NZ will have which could not just have personal impact but commercial impacts too like the following example.

(I can't post links yet, but Google "private jet data takeover revealed" and you'll get the CNBC report - "A corporate jet suggested Buffett’s energy deal was in works days before it was announced")

They also say that people need to be only "on the lookout for phishing emails over the next few months". Depending on what PII was covered by the breach, some of it, e.g. date of birth, addresses, passport info, etc. could remain valid for years.

Similarly there might be more than just phishing risks, the breached data could be enough for people to make loan / credit card applications and other use of identity information.

I'd keep an eye on your credit report, e.g. using a free account on Credit Simple (easy to find with Google).

Goosey

3014 posts

Uber Geek
+1 received by user: 867

Subscriber

#2293175 9-Aug-2019 19:44

@freitasm GKZ gets a mention...

here

edit...the mention seems to be quoting your comments above :-)

Mighty Ape

Shop now at Mighty Ape (affiliate link).

Trumpkin

6 posts

Wannabe Geek
+1 received by user: 3

#2293185 9-Aug-2019 19:52

Goosey:

@freitasm GKZ gets a mention...

here

edit...the mention seems to be quoting your comments above :-)

Several of the comments are from people who have contacted Air NZ and were told:

"name, occupation, employer, more important my email, address and phone number. Plus Airpoints status"
"name, job title, employer, address, email, phone number, Airpoints status, points balance and account number"

larknz

1976 posts

Uber Geek
+1 received by user: 382

ID Verified

Lifetime subscriber

#2293243 9-Aug-2019 20:36

A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

Trumpkin

6 posts

Wannabe Geek
+1 received by user: 3

#2293245 9-Aug-2019 20:40

larknz: A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

Even if you don't add it to the Airpoints website, if you fly internationally then they will need to capture your passport information. If your flight is linked to your Airpoints account then they will have your passport info linked.

merknz

36 posts

Geek
+1 received by user: 7

#2293339 10-Aug-2019 04:33

From the wording, it appears it was a report that was accessed via an Email/Onedrive account. I don't know any more than you do, but I would doubt that the bad actor had any access to Internal systems. The system that holds credit card hashes is heavily protected and audited, the one that holds passport information is also restricted and able to be audited. My guess is that the delay was AirNZ going through every audit log to see if there was any additional breaches. If you were told one thing, and ten days later told another, you'd go through the roof. They're trying to be sure.

the security team is dedicated, staff are trained every year on phishing scams and what to watch for, it was likely a VERY complicated scam or simply inattention which is a very human trait.

1 | 2 | 3