United website breach let fliers see each others' private data
Alice Taylor could have requested a very expensive upgrade on your behalf. The airline isn't saying why.
My wife came back from giving a conference speech in Las Vegas in December with the weirdest story: when she fired up the United check-in mobile site, she found herself looking at someone else's flight details, along with cellular numbers, home address, passport details, and buttons that would let her request multi-thousand-dollar upgrades for strangers. Every time she hit reload, she got someone else's private information.
She contacted United over email and was advised to send screen-shots in via a form that rejected them because they were over 1MB (she didn't have any tools on her phone to reduce them). She emailed them twice more asking for an alternative means of sending in the screenshots and never heard back.
Last week, I phoned Kevin Johnston, United's Head of Press, Europe, Middle East, Africa and India, to ask him about this, and he stonewalled me, refusing to say much beyond the bland, meaningless non-comment of: "The security of our customers’ travel information is very important to us."
Johnston confirmed that they had experienced a bug with their app that leaked sensitive personal information to random customers. He wouldn't when the bug started, or how many people experienced it, though he said that 20 customers reported it, and it was fixed on December 17. He would not answer these questions:
* Does United know how many customers' personal details were leaked?
* Does United know which customers' data was leaked?
* Does United know who they leaked other customers' information to?
* Has United taken any steps to notify customers whose sensitive information was leaked?
Based on his consistent "no comment" and unwillingness to elaborate on these questions despite multiple tries, I came away with the strong impression that the answer to all these questions is "no." That seems a reasonable inference -- though Johnston wouldn't comment on whether or not he agreed that this was a reasonable inference. (If you have been notified by United about this breach, I'd love to hear from you!)
Johnstone denied that my wife had sent United her screenshots, and also denied that passport information was available, and that customers were able to charge upgrades to other customers. My wife has shown me the sent email in her Gmail account confirming that she did contact United on three occassions (Johnstone refused to comment on this). She also affirms that she definitely saw passport details, and went through the steps to upgrade a stranger, but stopped short of clicking the "confirm" button.
United is legally obliged to notify customers affected by data breaches. In 47 states and throughout the EU, customers are legally entitled to speedy notification of breaches.
Did you experience this bug? Did you hear from United about your data being leaked?
Mistakes happen, and there are good ways and bad ways of dealing with them. Burying them and refusing to discuss them is neither a responsible, nor a legal way of responding to this kind of breach.
Eight months ago, Panera Bread was warned that they were leaking up to 7 million customers' data. They fixed it yesterday. Kinda.
On August 2, 2017, security researcher Dylan Houlihan contacted Panera Bread to warn them that their customer loyalty website had a serious defect that allowed attackers to retrieve the names, email and physical addresses, birthdays and last-four of the credit cards for up to seven million customers.
Fedex bought a company that stored 119,000 pieces of scanned customer IDs in a public Amazon cloud server, shut the company down, left the scans online for anyone to download
Fedex acquired a company called Bongo International in 2014; Bongo specialized in helping North American companies sell overseas and after the acquisition, Fedex renamed the company FedEx Cross-Border International.
Leaked Equifax documents provided to US Senate reveal that they dumped all our drivers' licenses, too, but Equifax says it's OK, so...
A leaked set of disclosures made by Equifax to the US Senate have revealed that the breach of 145.5 million Americans' sensitive financial data was even worse than suspected to date: in addition to data like full legal names, dates of birth, Social Security Numbers, and home addresses, it appears that Equifax also breached drivers' […]
Summer’s here, which brings not only warmer weather but also the unsettling realization that the year is more than halfway over. So, for those who weren’t as productive as they would have liked during the first half of 2018, we’ve rounded up 5 skill course bundles you can start learning today to help you finish […]
It’s good to be proactive, but when it comes to preparing for an emergency situation, one of the most important items you can pack is a flashlight. After all, whatever else you include in your kit won’t be of much use if you can’t see what you’re doing. The Viper 1000-Lumen Tactical Flashlights not only […]
Chances are you took a handful of language classes in high school, and aside from a smattering of conjugations and vocabulary words, the only things you likely remember are the dry, rehearsed sentences that did little to make you speak like a true native. If you’re still hoping to learn a new language but want […]