Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
35 posts

Geek


  # 2293340 10-Aug-2019 04:44
One person supports this post
Send private message quote this post

larknz: A good reason not to provide any more information than absolutely necessary. I certainly don't give them my passport number.

 

As our Narnian friend says above, passport information is required and sent to many immigration and document check systems, its a requirement of international travel. Immigration officers will also check your passport against 6-7 different systems both within New Zealand and internationally. Your passport is your permission by the New Zealand government to travel with the rights of a citizen, every e-gate, biometric scanner, or foreign airport you travel in, will send your passport details to other systems. 

 

The days of only checking your face & signature and stamping your passport have been over for a decade.

 

 

 

https://en.wikipedia.org/wiki/Biometric_passport

 

http://www.odysseymediagroup.com/en/Editorial-Airlines-And-Airports.asp?ReportID=315568

 

https://www.iata.org/publications/timatic/Pages/timatic-autocheck.aspx

 

https://www.customs.govt.nz/personal/travel-to-and-from-nz/travelling-to-nz/egate/

 

 

 

 




BDFL - Memuneh
64189 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2293357 10-Aug-2019 07:57
Send private message quote this post

merknz:

 

From the wording, it appears it was a report that was accessed via an Email/Onedrive account. I don't know any more than you do, but I would doubt that the bad actor had any access to Internal systems. The system that holds credit card hashes is heavily protected and audited, the one that holds passport information is also restricted and able to be audited. My guess is that the delay was AirNZ going through every audit log to see if there was any additional breaches. If you were told one thing, and ten days later told another, you'd go through the roof. They're trying to be sure. 

 

the security team is dedicated, staff are trained every year on phishing scams and what to watch for, it was likely a VERY complicated scam or simply inattention which is a very human trait. 

 

 

This is a good summary, thanks.





 
 
 
 


28104 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2294248 11-Aug-2019 16:54
Send private message quote this post

dauckland: [
But my assumtion is that passport details and therefore identify has been stolen.

 

Why do you translate your passport number being stolen as your identify being stolen?

 

If a passport number was so valuable it would not be printed on every boarding pass. Most people throw those out after flights and they have your frequent flyer number, full name and passport number on them.

 

 




BDFL - Memuneh
64189 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2294253 11-Aug-2019 17:05
3 people support this post
Send private message quote this post

Not necessarily but it is an important piece to be able to impersonate someone. For example you can open financial accounts online and just need a passport or driver's licence number to go through the identification hurdle.




35 posts

Geek


  # 2294255 11-Aug-2019 17:08
One person supports this post
Send private message quote this post

freitasm: Not necessarily but it is an important piece to be able to impersonate someone. For example you can open financial accounts online and just need a passport or driver's licence number to go through the identification hurdle.

 

 

 

Which is horrible when you think about it, as really they are just government issued shared secret that you MUST disclose to certain people when asked. 

 

 

 

 


6 posts

Wannabe Geek


  # 2294261 11-Aug-2019 17:19
Send private message quote this post

merknz:

 

freitasm: Not necessarily but it is an important piece to be able to impersonate someone. For example you can open financial accounts online and just need a passport or driver's licence number to go through the identification hurdle.

 

Which is horrible when you think about it, as really they are just government issued shared secret that you MUST disclose to certain people when asked. 

 

Maybe when the passport number isn't stored in plain text, but encrypted using a certificate? Although I'm not sure if the current passport technology will support this, yet...


 
 
 
 


35 posts

Geek


  # 2297648 13-Aug-2019 17:46
One person supports this post
Send private message quote this post

merknz:

 

but I would doubt that the bad actor had any access to Internal systems.

 

The data was in a summary report attached to the users Outlook (Office 365) email system.

 

It would appear that no internal systems were compromised as remote access requires significant additional permissions as well as additional factors in authentication. 


28104 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2297670 13-Aug-2019 19:27
Send private message quote this post

It's worth just adding to this that Air NZ have confirmed that no credit card details, passport details or passwords were compromised.

 

For anybody who uses the same password across multiple websites you should definitely ensure you change it. If that password has been compromised previously against your email address then it could be used to access your Air NZ account.

 

 


6 posts

Wannabe Geek


  # 2297687 13-Aug-2019 20:24
Send private message quote this post

sbiddle:

 

It's worth just adding to this that Air NZ have confirmed that no credit card details, passport details or passwords were compromised.

 

Some passport details may have been compromised:

 

https://www.stuff.co.nz/business/114913189/customers-could-face-longterm-privacy-issues-after-air-new-zealand-data-breach 

 

"A very small number of limited passport details could have potentially been visible in internal documents, should these documents have been accessed."

 

Stuff have also been reading this thread:

 

https://www.stuff.co.nz/business/114881753/a-data-breach-at-air-nz-affects-airpoints-members 

 

 


4870 posts

Uber Geek

Trusted

  # 2297690 13-Aug-2019 20:30
Send private message quote this post

Glad I don't have an Air NZ password to have to change.


35 posts

Geek


  # 2297701 13-Aug-2019 21:14
Send private message quote this post

Trumpkin:

 

Some passport details may have been compromised:

 

https://www.stuff.co.nz/business/114913189/customers-could-face-longterm-privacy-issues-after-air-new-zealand-data-breach 

 

"A very small number of limited passport details could have potentially been visible in internal documents, should these documents have been accessed."

 

 

It wouldn't be a loyalty report, but if the person was a Mainframe user its possible that screenshots have been emailed to show something (like boarding status) and that could contain passport data. An operational staff member would be responding to messages that have e-tickets, PNRs, passport information etc.. it would vary by job function, and the information would only be to support the customer. Its important to note that no information supports a 'hack' to core data systems, merely static copies of some extracts.  

 

I am trying to be super careful and not violate company policy, keeping it to general statements. 

 

 

 

 

 

 


28104 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2297800 14-Aug-2019 07:43
3 people support this post
Send private message quote this post

There are still a lot of people very grumpy at Air NZ over what they've said and the fact they didn't actually reveal on Thursday what data had been leaked. This lead to many people swamping them with emails and not getting prompt replies which made them even grumpier. 

 

Air NZ's stock standard email response that I've seen from several people now says that your name, email address, phone number, company name, location, Airpoints tier along with your Airpoints balance and number of flights was in the document.

 

I sit on the fence slightly as to my views on the response by Air NZ. It's fine saying your credit card details and password weren't compromised but we know large numbers of people use the same password for everything. If this data has been stolen and sold online it's now very simple to compare email addresses with other data breaches that did include a password and for accounts of people who are stupid enough to use the same password to be easily compromised.

 

While it's true that Air NZ say your "password is not affected", if people use a previously compromised password on Air NZ then your login is not safe and it's imperative that this is changed ASAP.

 

Air NZ also only use your phone number, email address and DOB for verification if making account changes. With 2 of these 3 data points now compromised and the DOB for at least some members probably readily available from other data breaches (or from other data sources) it means there is no data Air NZ have that could be used to verify the authenticity of a caller. To them that should be the scary part.

 

Because Air NZ did not disclose to everybody what was compromised it also makes like really easy for scammers. Should I trust somebody who called me today claiming to be from Air NZ who can provide me with my name, email address, phone number, my Airpoints status and Airpoints balance as proof of identification? I'm sure many people would trust that it was Air NZ calling..

 

A document disclosing what would appear to be an extract of all of Air NZ's HVCs is a truly massive loss of intellectual property especially if it is offered around for sale and becomes available like many other data breaches.

 

IMHO the implications of this are significantly greater than Air NZ really want to make out.

 

 

 

 

 

 

 

 


35 posts

Geek


  # 2299087 14-Aug-2019 11:40
One person supports this post
Send private message quote this post

sbiddle:

 

There are still a lot of people very grumpy at Air NZ over what they've said and the fact they didn't actually reveal on Thursday what data had been leaked. This lead to many people swamping them with emails and not getting prompt replies which made them even grumpier. Air NZ's stock standard email response that I've seen from several people now says that your name, email address, phone number, company name, location, Airpoints tier along with your Airpoints balance and number of flights was in the document.

 

I sit on the fence slightly as to my views on the response by Air NZ. It's fine saying your credit card details and password weren't compromised but we know large numbers of people use the same password for everything. If this data has been stolen and sold online it's now very simple to compare email addresses with other data breaches that did include a password and for accounts of people who are stupid enough to use the same password to be easily compromised.While it's true that Air NZ say your "password is not affected", if people use a previously compromised password on Air NZ then your login is not safe and it's imperative that this is changed ASAP.

 

Air NZ also only use your phone number, email address and DOB for verification if making account changes. With 2 of these 3 data points now compromised and the DOB for at least some members probably readily available from other data breaches (or from other data sources) it means there is no data Air NZ have that could be used to verify the authenticity of a caller. To them that should be the scary part.

 

Because Air NZ did not disclose to everybody what was compromised it also makes like really easy for scammers. Should I trust somebody who called me today claiming to be from Air NZ who can provide me with my name, email address, phone number, my Airpoints status and Airpoints balance as proof of identification? I'm sure many people would trust that it was Air NZ calling..

 

A document disclosing what would appear to be an extract of all of Air NZ's HVCs is a truly massive loss of intellectual property especially if it is offered around for sale and becomes available like many other data breaches.

 

IMHO the implications of this are significantly greater than Air NZ really want to make out.

 

 

 

 

I'm going to argue some inconsistencies in this:

 

So you're saying that Air New Zealand should have waited several months for the forensic analysis to be complete so they could say exactly what has been compromised for each individual? Because really, its a damned if you do, damned if you don't situation. What would you do differently? As far as I can see, best practice was followed in notification. "Hey something happened, you might want to take action, we're investigating"  

 

"all of Air NZ's HVCs is a truly massive loss of intellectual property" - That would be true, if it were not 112,000 users of 3,500,00 (3.2%) and unless you know what the contents were, you can't really hazard a guess, the report could be Airpoints customers travelling in the past 2 weeks, or Airpoints customers using the Valet parking service in the past 3 months. It's sweeping statements like that based on assumption that create problems. 

 

As you've readily pointed out, when someone calls you, chances are good, your name, email address, phone number (well they just called you, so duh) is already on the web somewhere, your Airpoints number is really the only other key they would have, so you can simply call and have your Airpoints number changed.  (status/balance become false when the number changes) or possibly AirNZ will be doing that already. 

 

What has been said is that your Airports password is not affected. What you're saying is that bad actors can merge this information with several other sources ([if] you use the same password for multiple accounts, and [if] your other accounts have been compromised by other data breaches, and [if] you have not changed your password) to compromise an account. (True) so yes AirNZ have contributed slightly to the problem, along with Cathay, BA, Delta, American Airlines ... oh and Dropbox, Canva, Google, Adobe, Yahoo, Equifax, eBay, Sony Playstation, and lets not forget Security company RSA. Its unfortunate, but a reality of the world we live in now. 

 

I'm not trying to downplay what has occurred, AirNZ are owning up to it, but "significantly greater" is perhaps an opinion I don't share. 

 

PS. I totally agree the call centre processes for account changes, will need a revamp in this instance. 

 

 


28104 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2299524 15-Aug-2019 07:39
One person supports this post
Send private message quote this post

merknz:

 

I'm going to argue some inconsistencies in this:

 

So you're saying that Air New Zealand should have waited several months for the forensic analysis to be complete so they could say exactly what has been compromised for each individual? Because really, its a damned if you do, damned if you don't situation. What would you do differently? As far as I can see, best practice was followed in notification. "Hey something happened, you might want to take action, we're investigating"  

 

"all of Air NZ's HVCs is a truly massive loss of intellectual property" - That would be true, if it were not 112,000 users of 3,500,00 (3.2%) and unless you know what the contents were, you can't really hazard a guess, the report could be Airpoints customers travelling in the past 2 weeks, or Airpoints customers using the Valet parking service in the past 3 months. It's sweeping statements like that based on assumption that create problems. 

 

As you've readily pointed out, when someone calls you, chances are good, your name, email address, phone number (well they just called you, so duh) is already on the web somewhere, your Airpoints number is really the only other key they would have, so you can simply call and have your Airpoints number changed.  (status/balance become false when the number changes) or possibly AirNZ will be doing that already. 

 

What has been said is that your Airports password is not affected. What you're saying is that bad actors can merge this information with several other sources ([if] you use the same password for multiple accounts, and [if] your other accounts have been compromised by other data breaches, and [if] you have not changed your password) to compromise an account. (True) so yes AirNZ have contributed slightly to the problem, along with Cathay, BA, Delta, American Airlines ... oh and Dropbox, Canva, Google, Adobe, Yahoo, Equifax, eBay, Sony Playstation, and lets not forget Security company RSA. Its unfortunate, but a reality of the world we live in now. 

 

I'm not trying to downplay what has occurred, AirNZ are owning up to it, but "significantly greater" is perhaps an opinion I don't share. 

 

PS. I totally agree the call centre processes for account changes, will need a revamp in this instance. 

 

 

 

 

I'm not arguing Air NZ should have waited. I see no issues with their time frames for notifying customers. I do however take issue with the fact they didn't notify what was leaked when this was known on Thursday, and customers since Friday have been advised of this when they've pushed for it. Why were they not clear and open about this?

 

I don't see any reason why you wouldn't simply tell people what data was revealed unless you're trying to downplay things. Clearly a Stuff or NZ Herald story saying your name, address, phone number, Airpoints Number, status & balance has been taken looks a lot worse than an article and email from Air NZ that says "some of your personal information" may have been visible.

 

It does seem that the compromised document(s) are probably data extracts for offline analysis and based on the numbers of customers in the leak I'd take a pretty big guess that these are neither "Airpoints customers who have traveled in the past 2 weeks" nor "Airpoints customers using the valet parking". This almost certainly is HVC data, and the fact it's essentially been HVCs who have had the email.

 

There are some incredibly angry customers out there. Yes data breaches are a reality, but I just think Air NZ have slipped up here by not being as open as they should have been. Hopefully there are some serious lessons learned from this including storing such sensitive documents on an email platform.

 

 

 

 


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20


Toyota and Preferred Networks to develop service robots
Posted 8-Aug-2019 20:11


Vodafone introduces new Vodafone TV device
Posted 7-Aug-2019 17:16


Intel announces next-generation Intel Xeon Scalable processors with up to 56 cores
Posted 7-Aug-2019 15:41


Nokia 2.2 released in New Zealand
Posted 5-Aug-2019 19:38


2degrees celebrating ten years
Posted 5-Aug-2019 05:00


Sure Petcare launches SureFeed microchip pet feeder
Posted 2-Aug-2019 17:00


Symantec Threat Intelligence: revival and rise of email extortion scams
Posted 2-Aug-2019 16:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.