Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
64189 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

# 254376 9-Aug-2019 15:54
4 people support this post
Send private message quote this post

Air New Zealand sent out emails to a number of AirPoints users about a possible breach, resulting of a phishing attack that managed to gain access to a couple of staff accounts.

 

While they say passwords and credit card numbers were not leaked, I am always on the side of "change it now".

 

While at it, remember to not re-use passwords between different services.

 





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
5698 posts

Uber Geek

Trusted
Geekzone
Lifetime subscriber

  # 2293040 9-Aug-2019 15:54
Send private message quote this post

Allow me to introduce you folks to our new travel community: TravelTalk NZ.

 

We hope to see you there!

 





I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



531 posts

Ultimate Geek

Lifetime subscriber

  # 2293047 9-Aug-2019 16:04
Send private message quote this post

Interesting, I don't seem to have received the given email. Thanks for the notification, @freitasm. I've changed my AirNZ password.


 
 
 
 




BDFL - Memuneh
64189 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2293049 9-Aug-2019 16:05
2 people support this post
Send private message quote this post
2646 posts

Uber Geek

Trusted

  # 2293052 9-Aug-2019 16:11
One person supports this post
Send private message quote this post

What timing as I had just gone through the (huge) list of services in LastPass (changed this master password too), and changed all my passwords just last night!

 

They still don't mention if passport details are leaked or not.





531 posts

Ultimate Geek

Lifetime subscriber

  # 2293053 9-Aug-2019 16:15
One person supports this post
Send private message quote this post

freitasm:

 

As mentioned, not everyone was affected but I always change passwords on this kind of notifications - sometimes the actual extent of a breach is not known until later...

 

 

Your point re actual extent not known until later is the reason why I'd have thought Air NZ would have erred on the side of caution by sending out this email to all their members.


5523 posts

Uber Geek


  # 2293055 9-Aug-2019 16:16
Send private message quote this post

https://www.tvnz.co.nz/one-news/new-zealand/air-new-zealand-data-breach-over-100-000-airpoints-customers-potentially-affected

 

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.




BDFL - Memuneh
64189 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2293057 9-Aug-2019 16:18
Send private message quote this post

RunningMan:

 

Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.

 

 

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

 

As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.





 
 
 
 


270 posts

Ultimate Geek

Lifetime subscriber

  # 2293079 9-Aug-2019 16:24
2 people support this post
Send private message quote this post

freitasm:

RunningMan:


Reportedly affects 3.5% of airpoints members. All those affected have been contacted directly.



"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.


As I said in my previous reply, usually companies don't know the real extent of a breach until after a lengthy investigation. If I were Air NZ I would have sent this to everyone.



Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

129 posts

Master Geek


  # 2293088 9-Aug-2019 16:38
Send private message quote this post

dauckland:
freitasm:

 

"Reportedly". The reality is that while they explicitly mention no APD or CC data was leaked, there is no mention of address, phone number, passport details, DOB. It's actually a big privacy issue.

 


Indeed. It’s what the email doesn’t say that is important.
I tried to get some clarity about this but had no official reply.
The case was aparently forwarded to AirNZ privacy officer.
But my assumtion is that passport details and therefore identify has been stolen.

Dear AirNZ, would you terrible mind paying for my new passport and a couple years of identity fraud protection.

Kind regards

 

Got the same email, changed my password immediately. The fact that they are not telling us what specific details could have been accessed is pretty bad, does not let me plan accordingly in any way. I've also emailed them for details on what exactly could have been potentially leaked as "information relating to membership profile" can be incredibly broad. As of right now I have to assume everything about me associated with Airpoints and AirNZ, bar credit card info, is now compromised. Someone could easily do full identity fraud with passport validation with that data.


6 posts

Wannabe Geek


  # 2293151 9-Aug-2019 18:55
One person supports this post
Send private message quote this post

The Privacy Commissioner was notified on the 31st July, but affected Airpoints members were only notified on the 9th August.

 

I've not seen anything to account for the delay between when they knew about the issue and when they decided to inform those affected, 9 days later.

 

For frequent fliers, there is a mass of Personally identifiable information (PII) that Air NZ will have which could not just have personal impact but commercial impacts too like the following example.

 

(I can't post links yet, but Google "private jet data takeover revealed" and you'll get the CNBC report - "A corporate jet suggested Buffett’s energy deal was in works days before it was announced")

 

They also say that people need to be only "on the lookout for phishing emails over the next few months". Depending on what PII was covered by the breach, some of it, e.g. date of birth, addresses, passport info, etc. could remain valid for years.

 

Similarly there might be more than just phishing risks, the breached data could be enough for people to make loan / credit card applications and other use of identity information.

 

I'd keep an eye on your credit report, e.g. using a free account on Credit Simple (easy to find with Google).


1834 posts

Uber Geek

Subscriber

  # 2293175 9-Aug-2019 19:44
Send private message quote this post

@freitasm   GKZ gets a mention...

 

here

 

edit...the mention seems to be quoting your comments above :-)


6 posts

Wannabe Geek


  # 2293185 9-Aug-2019 19:52
Send private message quote this post

Goosey:

 

@freitasm   GKZ gets a mention...

 

here

 

edit...the mention seems to be quoting your comments above :-)

 

 

Several of the comments are from people who have contacted Air NZ and were told:

 

  • "name, occupation, employer, more important my email, address and phone number. Plus Airpoints status"
  • "name, job title, employer, address, email, phone number, Airpoints status, points balance and account number"

 


251 posts

Ultimate Geek

Lifetime subscriber

  # 2293243 9-Aug-2019 20:36
One person supports this post
Send private message quote this post

A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

6 posts

Wannabe Geek


  # 2293245 9-Aug-2019 20:40
2 people support this post
Send private message quote this post

larknz: A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

 

Even if you don't add it to the Airpoints website, if you fly internationally then they will need to capture your passport information. If your flight is linked to your Airpoints account then they will have your passport info linked.


35 posts

Geek


  # 2293339 10-Aug-2019 04:33
2 people support this post
Send private message quote this post

 

 

From the wording, it appears it was a report that was accessed via an Email/Onedrive account. I don't know any more than you do, but I would doubt that the bad actor had any access to Internal systems. The system that holds credit card hashes is heavily protected and audited, the one that holds passport information is also restricted and able to be audited. My guess is that the delay was AirNZ going through every audit log to see if there was any additional breaches. If you were told one thing, and ten days later told another, you'd go through the roof. They're trying to be sure. 

 

the security team is dedicated, staff are trained every year on phishing scams and what to watch for, it was likely a VERY complicated scam or simply inattention which is a very human trait. 

 

 

 

 

 

 

 

 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20


Toyota and Preferred Networks to develop service robots
Posted 8-Aug-2019 20:11


Vodafone introduces new Vodafone TV device
Posted 7-Aug-2019 17:16


Intel announces next-generation Intel Xeon Scalable processors with up to 56 cores
Posted 7-Aug-2019 15:41


Nokia 2.2 released in New Zealand
Posted 5-Aug-2019 19:38


2degrees celebrating ten years
Posted 5-Aug-2019 05:00


Sure Petcare launches SureFeed microchip pet feeder
Posted 2-Aug-2019 17:00


Symantec Threat Intelligence: revival and rise of email extortion scams
Posted 2-Aug-2019 16:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.