Air New Zealand Falls Victim to a Phishing Attack
How difficult is it to steal data from an airline company that has more than 10 thousand employees, carries close to 16 million passengers every year, and operates a fleet of over 60 aircraft? As it turns out, it depends on how good your phishing skills are. Unfortunately, the cybercriminals attacking Air New Zealand were good enough.
The exact timeline of the incident remains unclear, but according to local media outlet stuff.co.nz, Air New Zealand first got in touch with authorities on July 31. It wasn't until August 9, however, that the airline finally informed potentially affected individuals about the breach.
Members of Air New Zealand's Airpoints program get some of their personal information compromised after a phishing attack
Friday's email is short and to the point. It states that a phishing attack aimed at two Air New Zealand employees has resulted in the potential compromise of some data that belongs to members of Airpoints – the airline's frequent flyer program. Air New Zealand told stuff.co.nz that around 112 thousand customers have been affected. That's just 3.5% of all 3.2 million Airpoints members. Fortunately, the hackers didn't access any Airpoints accounts, and they didn't get to steal any passwords or credit card details.
The company has now secured the phished internal accounts and is working out what it could do to put up a better defense the next time it ends up in the phishers' sights. The people who got the notifications were told to be on the lookout for phishing emails themselves.
The crooks managed to steal email addresses, names, and information on the number of loyalty points the affected customers have. This means that if they try to phish victims' Airpoints login credentials, they can create more believable, legitimate-looking emails. Phishing attacks aimed at people's Airpoints profiles present a legitimate concern in light of the recent breach. It's not the only one, though.
The exact extent of the breach remains unknown
Stuff.co.nz spoke to a few affected Airpoints members who seem quite concerned. Rightly so, you might add. Air New Zealand customers can save quite a lot of personal information in their Airpoints accounts, including scanned copies of passports. One of the Airpoints members interviewed by stuff.co.nz said that they had been in touch with Air New Zealand and had been told that in addition to the details disclosed in Friday's emails, the hackers potentially had access to additional information like job titles, phone numbers, mailing addresses, etc. Stuff.co.nz asked Air New Zealand to confirm or deny these claims, but the airline's response was somewhat vague, saying only that the potentially compromised data "will vary by member".
All in all, the details around the incident remain somewhat scarce, but people shouldn't rush to conclusions. Indeed, Air New Zealand isn't sharing a whole lot on what sort of data got exposed, but this might be due to the fact that it simply doesn't have this sort of information. Both the airline and New Zealand's Privacy Commissioner claim to be in the middle of an ongoing investigation, which means that we might have more details in the future. Until then, Airpoints members must keep their eyes peeled not just for the phishing emails mentioned in Air New Zealand's notification, but for other signs of identity theft.