Air NZ data breach raises questions
A data breach has exposed up to 112,000 Air New Zealand Airpoints customers to long-term privacy concerns.
Air New Zealand is facing questions around how the data breach happened and why it took the company more than nine days to notify customers compromised by the phishing attack.
The airline notified the Privacy Commissioner about the breach on July 31; however, customers were only told about the attack on August 9.
An Air New Zealand spokeswoman said the commissioner had been told about the breach while the company was still in the process of confirming details of the attack.
‘‘In line with best practice, Air New Zealand notified the Privacy Commissioner of our investigation into a potential incident on July 31,’’ she said.
‘‘We received confirmation on Thursday last week of the customers potentially affected by this issue and on Friday we proactively contacted those who may have been impacted.’’
Those customers received an email outlining the breach.
Exposed data included information associated with members’ visible in internal documents. This varied by member and could include details such as Airpoints
number, members’ name and email.
‘‘Passport details shared with us through an Airpoints member profile or through an online flight booking are not impacted.’’
The spokeswoman did not provide details into how the phishing attack was successful but said the company apologised to customers for the ‘‘inconvenience’’.
However, one cyber security expert said the attack could be more than an inconvenience for exposed customers.
Dr Panos Patros, of the University of Waikato, said the phishing attack could have long-term consequences for people who had lost control of their data. ‘‘Once something is out there it is virtually impossible to disappear.’’
A good practice for those affected would be to change passwords often and to monitor credit cards.
He said phishing was a social engineering technique, rather than a hack. ‘‘Phishing happens because we give out stuff.’’