Insufficient IT security at South Korea’s Asiana Airlines has lead to a massive amount of confidential customer information including document scans being stolen and leaked online.
From a customer point of view I always thought that the Asiana website was one of the worst any airlines out there subject their passengers to but little did I know how bad it looks behind the scene as IT experts characterize Asiana’s website as “extremely poor”.
The story was first published at The Korea Post (access here).
Tens of thousands of items of sensitive passenger information have been leaked on the Internet in a large-scale private data breach against Korea’s second-biggest airline, Asiana Airlines.
The information includes citizen resident numbers, passport information, home addresses, bank account details, phone numbers and family relations records. The information, saved on the company’s website (flyasiana.com) for the past several years, is believed to have been compromised.
The newspaper public examples of the documents available online which includes scans of passports, resident cards and frequent flyer details.
There is barely anything you can really do completely online on the Asiana website, especially in the area of their frequent flyer program Asiana Club. Too many things have to be done ‘on request’ for which they then require supporting documents. It was extremely foolish of them to dump all this data into a database and keep it there without properly securing their server.
Victims are Koreans and foreigners who traveled or will travel using Asiana or its affiliated airlines, such as United Airlines, Lufthansa, Thai Airways, Singapore Airlines and Scandinavian Airlines, among others.
The Korea Times was able to access hundreds of scanned private documents belonging to customers. They are part of an estimated 47,000 documents believed to have been compromised.
The oldest document obtained by The Korea Times is a flight ticket invoice issued in September 2014. But it is possible the leak extends farther. It is unknown whether the data has already fallen into criminal hands.
Computer engineers who analyzed the exposed data and the way it was accessed said the scanned documents appear to have been attached to customers’ query emails to Asiana. Asiana temporarily shut its server for the Frequently Asked Questions (FAQ) section following the report on the leak and launched an investigation into the case. “Customers’ information that has been saved on the FAQ server since May 2015 seems to have been compromised,” Asiana said in a statement. “An investigation is underway to verify the scope of compromised data.”
The prosecution and the Korea Internet and Security Agency have launched a respective investigation into the matter. A foreign computer engineer who first drew attention to the security loophole said: “No hacking skills were required to retrieve it. Just basic knowledge of web development.”
Computer engineers here echoed the view, saying Asiana’s website security was “extremely poor.” They said this was a clear violation of the Personal Information Protection Act, which requires companies handling personal data to store it securely. “It’s evident that there were security loopholes on Asiana’s website,” said a computer engineer who examined the leaked documents. “If malicious hackers learned how to access it, they would have been able to steal tens of thousands of copies of private information in seconds using a data-collecting program that is readily available online.”
I was Asiana Gold for 3 years until I finally had enough of their complicated procedures when it came to redeeming the miles. I can’t count how often I had to visit the City Ticketing Office or send them supporting documents to get things done. Many airlines operate in the same way and I always try to provide as little personal documents as possible or if then I modify the copy/scan in a way that it can’t be used for fraudulent purposes outright.
The same goes for hotels. You might have gotten emails before where hotels request that you send them a credit card authorization form and in some cases even scans of your card. Avoid that at all cost! John has recently written about such a case (see here).
The way that Asiana collects information is not unique especially for airlines and companies in Asia. At least for Thailand, Hong Kong, Korea and Malaysia I can say that the constant requirement of submitting ID copies doesn’t sit well with me. At least once a month you have to consult a service where they require this, be it at the bank or any other company even if you go in person. I have no problem with an authorized employee checking my ID but why does it need to be copied every left and right?
If a company such as Asiana collects personal information in this way and then neglects to protect it properly then that is a clear violation of the law as the experts in this case confirmed. South Korea is one of the top countries for the manufacturing of electronic goods worldwide and such an oversight is an embarrassment. Hopefully Asiana will be fined heavily for this breach!