United website breach let fliers see each others' private data
Alice Taylor could have requested a very expensive upgrade on your behalf. The airline isn't saying why.
My wife came back from giving a conference speech in Las Vegas in December with the weirdest story: when she fired up the United check-in mobile site, she found herself looking at someone else's flight details, along with cellular numbers, home address, passport details, and buttons that would let her request multi-thousand-dollar upgrades for strangers. Every time she hit reload, she got someone else's private information.
She contacted United over email and was advised to send screen-shots in via a form that rejected them because they were over 1MB (she didn't have any tools on her phone to reduce them). She emailed them twice more asking for an alternative means of sending in the screenshots and never heard back.
Last week, I phoned Kevin Johnston, United's Head of Press, Europe, Middle East, Africa and India, to ask him about this, and he stonewalled me, refusing to say much beyond the bland, meaningless non-comment of: "The security of our customers’ travel information is very important to us."
Johnston confirmed that they had experienced a bug with their app that leaked sensitive personal information to random customers. He wouldn't when the bug started, or how many people experienced it, though he said that 20 customers reported it, and it was fixed on December 17. He would not answer these questions:
* Does United know how many customers' personal details were leaked?
* Does United know which customers' data was leaked?
* Does United know who they leaked other customers' information to?
* Has United taken any steps to notify customers whose sensitive information was leaked?
Based on his consistent "no comment" and unwillingness to elaborate on these questions despite multiple tries, I came away with the strong impression that the answer to all these questions is "no." That seems a reasonable inference -- though Johnston wouldn't comment on whether or not he agreed that this was a reasonable inference. (If you have been notified by United about this breach, I'd love to hear from you!)
Johnstone denied that my wife had sent United her screenshots, and also denied that passport information was available, and that customers were able to charge upgrades to other customers. My wife has shown me the sent email in her Gmail account confirming that she did contact United on three occassions (Johnstone refused to comment on this). She also affirms that she definitely saw passport details, and went through the steps to upgrade a stranger, but stopped short of clicking the "confirm" button.
United is legally obliged to notify customers affected by data breaches. In 47 states and throughout the EU, customers are legally entitled to speedy notification of breaches.
Did you experience this bug? Did you hear from United about your data being leaked?
Mistakes happen, and there are good ways and bad ways of dealing with them. Burying them and refusing to discuss them is neither a responsible, nor a legal way of responding to this kind of breach.
Facebook has notified 6.8 million users that, due to a bug, the company allowed its third-party developers to access all the users' photos, including those marked as private.
Congressional Republicans say Equifax breach was "entirely preventable," blames "aggressive growth strategy" but reject measures to prevent future breaches
Equifax doxed 145 million Americans, dumping their most sensitive financial data into the world forever, with repercussions that will be felt for decades to come.
Long before Quora admitted to being breached and losing 100,000,000 million users' account data, it had disqualified itself from being used, by dint of its impulse to hoard knowledge and the likelihood that its limping business model would cause it to imminently implode.
Digital or analog, there’s a path of least resistance for any project. Finding that path is what the Agile methodology is all about, which is why proficiency in it is a must for any project management position – and the paycheck that comes with it. And the quickest path to learning Agile? The Agile Project […]
Everybody’s flown a paper airplane. But what if you could fly on a paper airplane? Until we invent shrink-ray technology, the PowerUp X FPV Video Paper Airplane Kit will have to do – but it’s as fun as that sounds and more. The original version of this creative toy added drone tech to the old, […]
Adobe’s design software catalog is essential to any graphics program, as much for their simplicity as their versatility. Anyone can be an effective graphic designer with tools like Illustrator and InDesign – and the right training in their potential. That’s where the Adobe CC A-Z Lifetime Bundle comes in. Whether you’re getting your feet wet […]