A good time to change your Air NZ password

Forums › Travel (planes, train, cruise) › A good time to change your Air NZ password

freitasm

BDFL - Memuneh
64189 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

# 254376 9-Aug-2019 15:54

4 people support this post

Air New Zealand sent out emails to a number of AirPoints users about a possible breach, resulting of a phishing attack that managed to gain access to a couple of staff accounts.

While they say passwords and credit card numbers were not leaked, I am always on the side of "change it now".

While at it, remember to not re-use passwords between different services.

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics

1 | 2 | 3

5698 posts

Uber Geek

Trusted

Geekzone

Lifetime subscriber

# 2293040 9-Aug-2019 15:54

Allow me to introduce you folks to our new travel community: TravelTalk NZ.

We hope to see you there!

I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

KiwiSurfer

531 posts

Ultimate Geek

Lifetime subscriber

# 2293047 9-Aug-2019 16:04

Interesting, I don't seem to have received the given email. Thanks for the notification, @freitasm. I've changed my AirNZ password.

freitasm

BDFL - Memuneh
64189 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

# 2293049 9-Aug-2019 16:05

2 people support this post

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics

sonyxperiageek

2646 posts

Uber Geek

Trusted

# 2293052 9-Aug-2019 16:11

One person supports this post

What timing as I had just gone through the (huge) list of services in LastPass (changed this master password too), and changed all my passwords just last night!

They still don't mention if passport details are leaked or not.

Sony

NZ TechBlog | Follow me on Twitter | My Geekzone blog | TransferWise (Free International Transfer up to $900 (Affiliate Link)

KiwiSurfer

531 posts

Ultimate Geek

Lifetime subscriber

# 2293053 9-Aug-2019 16:15

One person supports this post

freitasm:

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...

Your point re actual extent not known until later is the reason why I'd have thought Air NZ would have erred on the side of caution by sending out this email to all their members.

RunningMan

5523 posts

Uber Geek

# 2293055 9-Aug-2019 16:16

https://www.tvnz.co.nz/one-news/new-zealand/air-new-zealand-data-breach-over-100-000-airpoints-customers-potentially-affected

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

freitasm

BDFL - Memuneh
64189 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

# 2293057 9-Aug-2019 16:18

RunningMan:

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.

My technology disclosure | Digital Transformation | Enterprise Content Management | Customer Relationship Management | Data Insights, Business Intelligence and Advanced Analytics

dauckland

270 posts

Ultimate Geek

Lifetime subscriber

# 2293079 9-Aug-2019 16:24

2 people support this post

freitasm:
RunningMan:

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.

Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

littlehead

129 posts

Master Geek

# 2293088 9-Aug-2019 16:38

dauckland:
freitasm:

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

Got the same email, changed my password immediately. The fact that they are not telling us what specific details could have been accessed is pretty bad, does not let me plan accordingly in any way. I've also emailed them for details on what exactly could have been potentially leaked as "information relating to membership profile" can be incredibly broad. As of right now I have to assume everything about me associated with Airpoints and AirNZ, bar credit card info, is now compromised. Someone could easily do full identity fraud with passport validation with that data.

Trumpkin

6 posts

Wannabe Geek

# 2293151 9-Aug-2019 18:55

One person supports this post

The Privacy Commissioner was notified on the 31st July, but affected Airpoints members were only notified on the 9th August.

I've not seen anything to account for the delay between when they knew about the issue and when they decided to inform those affected, 9 days later.

For frequent fliers, there is a mass of Personally identifiable information (PII) that Air NZ will have which could not just have personal impact but commercial impacts too like the following example.

(I can't post links yet, but Google "private jet data takeover revealed" and you'll get the CNBC report - "A corporate jet suggested Buffett’s energy deal was in works days before it was announced")

They also say that people need to be only "on the lookout for phishing emails over the next few months". Depending on what PII was covered by the breach, some of it, e.g. date of birth, addresses, passport info, etc. could remain valid for years.

Similarly there might be more than just phishing risks, the breached data could be enough for people to make loan / credit card applications and other use of identity information.

I'd keep an eye on your credit report, e.g. using a free account on Credit Simple (easy to find with Google).

Goosey

1834 posts

Uber Geek

Subscriber

# 2293175 9-Aug-2019 19:44

@freitasm GKZ gets a mention...

here

edit...the mention seems to be quoting your comments above :-)

Trumpkin

6 posts

Wannabe Geek

# 2293185 9-Aug-2019 19:52

Goosey:

@freitasm GKZ gets a mention...

here

edit...the mention seems to be quoting your comments above :-)

Several of the comments are from people who have contacted Air NZ and were told:

"name, occupation, employer, more important my email, address and phone number. Plus Airpoints status"
"name, job title, employer, address, email, phone number, Airpoints status, points balance and account number"

larknz

251 posts

Ultimate Geek

Lifetime subscriber

# 2293243 9-Aug-2019 20:36

One person supports this post

A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

Trumpkin

6 posts

Wannabe Geek

# 2293245 9-Aug-2019 20:40

2 people support this post

larknz: A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

Even if you don't add it to the Airpoints website, if you fly internationally then they will need to capture your passport information. If your flight is linked to your Airpoints account then they will have your passport info linked.

merknz

35 posts

Geek

# 2293339 10-Aug-2019 04:33

2 people support this post

From the wording, it appears it was a report that was accessed via an Email/Onedrive account. I don't know any more than you do, but I would doubt that the bad actor had any access to Internal systems. The system that holds credit card hashes is heavily protected and audited, the one that holds passport information is also restricted and able to be audited. My guess is that the delay was AirNZ going through every audit log to see if there was any additional breaches. If you were told one thing, and ten days later told another, you'd go through the roof. They're trying to be sure.

the security team is dedicated, staff are trained every year on phishing scams and what to watch for, it was likely a VERY complicated scam or simply inattention which is a very human trait.

1 | 2 | 3