United website breach let fliers see each others' private data
Alice Taylor could have requested a very expensive upgrade on your behalf. The airline isn't saying why.
My wife came back from giving a conference speech in Las Vegas in December with the weirdest story: when she fired up the United check-in mobile site, she found herself looking at someone else's flight details, along with cellular numbers, home address, passport details, and buttons that would let her request multi-thousand-dollar upgrades for strangers. Every time she hit reload, she got someone else's private information.
She contacted United over email and was advised to send screen-shots in via a form that rejected them because they were over 1MB (she didn't have any tools on her phone to reduce them). She emailed them twice more asking for an alternative means of sending in the screenshots and never heard back.
Last week, I phoned Kevin Johnston, United's Head of Press, Europe, Middle East, Africa and India, to ask him about this, and he stonewalled me, refusing to say much beyond the bland, meaningless non-comment of: "The security of our customers’ travel information is very important to us."
Johnston confirmed that they had experienced a bug with their app that leaked sensitive personal information to random customers. He wouldn't when the bug started, or how many people experienced it, though he said that 20 customers reported it, and it was fixed on December 17. He would not answer these questions:
* Does United know how many customers' personal details were leaked?
* Does United know which customers' data was leaked?
* Does United know who they leaked other customers' information to?
* Has United taken any steps to notify customers whose sensitive information was leaked?
Based on his consistent "no comment" and unwillingness to elaborate on these questions despite multiple tries, I came away with the strong impression that the answer to all these questions is "no." That seems a reasonable inference -- though Johnston wouldn't comment on whether or not he agreed that this was a reasonable inference. (If you have been notified by United about this breach, I'd love to hear from you!)
Johnstone denied that my wife had sent United her screenshots, and also denied that passport information was available, and that customers were able to charge upgrades to other customers. My wife has shown me the sent email in her Gmail account confirming that she did contact United on three occassions (Johnstone refused to comment on this). She also affirms that she definitely saw passport details, and went through the steps to upgrade a stranger, but stopped short of clicking the "confirm" button.
United is legally obliged to notify customers affected by data breaches. In 47 states and throughout the EU, customers are legally entitled to speedy notification of breaches.
Did you experience this bug? Did you hear from United about your data being leaked?
Mistakes happen, and there are good ways and bad ways of dealing with them. Burying them and refusing to discuss them is neither a responsible, nor a legal way of responding to this kind of breach.
Fedex bought a company that stored 119,000 pieces of scanned customer IDs in a public Amazon cloud server, shut the company down, left the scans online for anyone to download
Fedex acquired a company called Bongo International in 2014; Bongo specialized in helping North American companies sell overseas and after the acquisition, Fedex renamed the company FedEx Cross-Border International.
Leaked Equifax documents provided to US Senate reveal that they dumped all our drivers' licenses, too, but Equifax says it's OK, so...
A leaked set of disclosures made by Equifax to the US Senate have revealed that the breach of 145.5 million Americans' sensitive financial data was even worse than suspected to date: in addition to data like full legal names, dates of birth, Social Security Numbers, and home addresses, it appears that Equifax also breached drivers' […]
Thanks to "consent" buried deep in sales agreements, car manufacturers are tracking tens of millions of US cars
Millions of new cars sold in the US and Europe are "connected," having some mechanism for exchanging data with their manufacturers after the cars are sold; these cars stream or batch-upload location data and other telemetry to their manufacturers, who argue that they are allowed to do virtually anything they want with this data, thanks […]
Many of us enjoy the aesthetic of vintage electronics, but trying to use most hardware from the 1950’s isn’t necessarily practical. This is especially true where speakers are concerned. While most of us can appreciate the old-school feel of retro speakers, they have a hard time matching the convenience and power delivered by today’s Bluetooth speakers. […]
Python is one of the most popular and versatile programming languages used by developers today, making it an ideal first choice for those looking to kickstart a career in programming. While you could go back to school or sign up for a pricey coding bootcamp, you can learn the essentials of coding with Python at […]
Going back to school isn’t necessarily an option for everyone. Between the time commitments and steep tuition rates, there are obstacles aplenty as far as furthering education is concerned. However, that’s not to say it’s impossible to learn new skills. Excel with Business lets users access thousands of hours of online learning in Microsoft, business, technology, […]