Bug in Singapore Airlines’ website exposed personal data of 285 flyers

Bug in Singapore Airlines’ website exposed personal data of 285 flyers

SITA data breach compromised data associated with multiple international airlines

Singapore Airlines has announced that a software bug that surfaced during an upgrade to its official website on January 4th allowed frequent flyers to view personal information of other frequent flyers and exposed data of up to 285 flyers before the bug was fixed.

Last week, a Singapore Airlines customer, who is a member of the airline’s Krisflyer (frequent flyer) programme, toold ZDNet that after logging in to her Krisflyer account, she was able to view detailed account information of another passenger, including details about recent transactions, upcoming trips, the most recent trip, the associated email address, as well as the number of miles converted using credit card points.

After the customer contacted Singapore Airlines to report the issue, she was instructed to log out of her account and log back in after 24 hours as the airline was carrying out a system upgrade.

“Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing? It’s frustrating that we’re held hostage by these companies that demand our personal details, but don’t keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured,” she told ZDNet.

Bug exposed personal data of 285 flyers

When contacted by the news site, Singapore Airlines said that the information leak occurred due to a software bug that surfaced when the airline was carrying out changes to its official website on 4th January.

It added that before it was fixed, the bug resulted in the exposure of names, email addresses, account numbers, membership status, Krisflyer miles, recent miles transactions, upcoming flights, and Krisflyer rewards of 278 frequent flyers as well as the exposure of passport details of seven other flyers.

“We have established that this was a one-off software bug and was not the result of an external party’s breach of our systems or members’ accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved,” a Singapore Airlines’ spokesperson told ZDNet.

Bugs introduced during tech updates compromising user privacy

This isn’t the first time that software bugs introduced during technology upgrades have compromised personal information of millions of individuals who have entrusted the world’s largest companies with the safeguarding of their personal information.

Last month, Facebook announced that a software bug in its photos API exposed personal photos of up to 6.8 million users to up to 1,500 third-party apps, including photos that users uploaded to Facebook but chose not to share.

The apps that had access to photos of millions of users between September 13 and September 25 were authorised by Facebook to access the photos API and had also obtained prior approval from users to access photos that had been shared on their timeline.

However, thanks to the bug, developers of such third-party apps gained access not only photos that people shared on their timeline, but also to those shared on Marketplace or Facebook Stories and also to photos that people uploaded to Facebook but chose not to post.

In December, Google also announced that a freshly-introduced bug in a Google+ API exposed personal information of up to 52.5 million users to app developers and third parties. Information exposed by the bug included names, dates of birth, gender and email addresses and could be viewed by apps and third parties even when set to not-public.

Google revealed that the bug was introduced to its platform via a software update introduced in November and was fixed within a week of being discovered. Even though personal data of millions of users was exposed, there was no evidence that such data was accessed by any third party or misused by app developers.


Flaw in U.S. Postal Service’s website exposed personal data of 60 million users

Critical macOS security bug lets anyone access a Mac without entering a password

Copyright Lyonsdown Limited 2021

Top Articles

Making employees part of the solution to email security

Security Awareness Training needs to be more than a box-ticking exercise if it is to keep organisations secure from email threats

Windows Hello vulnerability: Bypassing biometric weakness without plastic surgery

Omer Tsarfati, Cyber Security Researcher at CyberArk Labs, describes a flaw that allows hackers to bypass Windows Hello’s facial recognition Biometric authentication is beginning to see rapid adoption across enterprises…

Legacy systems are holding back your digital transformation

Legacy systems pose a threat to organisational security. IT leaders need to be courageous and recognise the need to upgrade their technology

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]