Undiscovered Software Bug In Singapore Airline’s KrisFlyer System Caused Cross-Customer Data Leakage
KrisFlyer, the frequent flyer program of Singapore Airlines is facing a critical software bug that caused 285 of its members to have their personal information exposed to other KrisFlyer members. Singapore Airlines has blamed this issue to a bug in their website, that caused details of their frequent fliers to leak, including the member’s full name, email address, membership tier, account number, the accumulated miles/rewards, travel history and possibly even passport information in seven instances.
“We have been made aware of a number of cases in which a customer (who) logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer,” explained a Singapore Airline spokesperson.
Apparently, the bug gets triggered if two or more KrisFlyer members access their online accounts at the same time, hence they are assigned similar IDs in the system. From the initial information provided by Singapore Airlines, the bug got triggered from 2:00am to 12:15pm Jan 4, 2019 GMT+8. Around 285 KrisFlyer accounts were affected, though they have made any disclosure of the identity of the affected users.
Tricia Leo, a self-confessed KrisFlyer has encountered unexpected behavior with her account, as she was able to view data from an account that was not hers in a login attempt to KrisFlyer’s system. “I tried a new login and I could see his entire history, upcoming trips, miles. If organisations that demand our personal data don’t guard our information properly, then they need to be called out on it. “I saw that my miles were significant lower and I had a different Elite status than what was shown on screen, so I initially thought my account had been hacked.,” emphasize Leo.
Singapore’s Personal Data Protection Commission has been informed by Singapore Airlines about the information leakage, and the Singpore Flag carrier is trying to contact all affected customers. “We have established that this was a one-off software bug and was not the result of an external party’s breach of our systems or members’ accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved,” added SIA spokesperson.
In the case of Ms. Leo, her account upon logging-in shows the name ‘Robert Sia’, which is someone else’s information being displayed in her profile page. “”So, that meant that if I made any changes to my account or flight, those personal details of mine would be emailed to a total stranger. She (a Singapore Airline support team member) sounded like she was trying to brush me off and treated the issue rather matter-of-factly, She didn’t even offer to explain the situation to me. They have my passport details on file, including the expiry date, as well as my travel details. I think it’s serious enough to warrant a better response than the one I got, especially since my friend’s travel details also are in my account as he’s a redemption nominee,” explained Leo.
Singapore Airlines is in the transition phase of their blockchain-based digital wallet project, which aims to minimize if not prevent any future security issues like this one in the immediate future. It is however important for the airline to have emphatic staff which can help handle critical customer inquiries like Ms. Leo sends. “Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing? It’s frustrating that we’re held hostage by these companies that demand our personal details, but don’t keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured. “I was also affected by the recent Marriott security breach and all you get is a one-pager without any specific details on how we can rectify the problem. It’s starting to seem like there’s a security breach almost every other week now and we’ve come to accept that as a norm when that shouldn’t be the case,” added Leo.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.