[BreachExchange] Asiana Airlines' customer database leaked on Internet

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 19 10:40:11 EDT 2016


http://www.koreatimes.co.kr/www/common/vpage-pt.asp?categorycode=123&newsidx=209639

Tens of thousands of items of sensitive passenger information have been
leaked on the Internet in a large-scale private data breach against Korea's
second-biggest airline, Asiana Airlines.

The information includes citizen resident numbers, passport information,
home addresses, bank account details, phone numbers and family relations
records. The information, saved on the company's website (flyasiana.com)
for the past several years, is believed to have been compromised.

Victims are Koreans and foreigners who traveled or will travel using Asiana
or its affiliated airlines, such as United Airlines, Lufthansa, Thai
Airways, Singapore Airlines and Scandinavian Airlines, among others.

The Korea Times was able to access hundreds of scanned private documents
belonging to customers. They are part of an estimated 47,000 documents
believed to have been compromised.

The oldest document obtained by The Korea Times is a flight ticket invoice
issued in September 2014. But it is possible the leak extends farther. It
is unknown whether the data has already fallen into criminal hands.

Computer engineers who analyzed the exposed data and the way it was
accessed said the scanned documents appear to have been attached to
customers' query emails to Asiana.

Asiana temporarily shut its server for the Frequently Asked Questions (FAQ)
section following the report on the leak and launched an investigation into
the case.

"Customers' information that has been saved on the FAQ server since May
2015 seems to have been compromised," Asiana said in a statement. "An
investigation is underway to verify the scope of compromised data."

The prosecution and the Korea Internet and Security Agency have launched a
respective investigation into the matter.

A foreign computer engineer who first drew attention to the security
loophole said: "No hacking skills were required to retrieve it. Just basic
knowledge of web development."

Computer engineers here echoed the view, saying Asiana's website security
was "extremely poor." They said this was a clear violation of the Personal
Information Protection Act, which requires companies handling personal data
to store it securely.

"It's evident that there were security loopholes on Asiana's website," said
a computer engineer who examined the leaked documents.

"If malicious hackers learned how to access it, they would have been able
to steal tens of thousands of copies of private information in seconds
using a data-collecting program that is readily available online."

Asiana has built the websites of its two low-cost carrier affiliates ― Air
Busan and Air Seoul ― with a similar technical framework.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/3953d9db/attachment.html>


More information about the BreachExchange mailing list