[BreachExchange] Hong Kong Airlines says sorry over passenger data leak

[Audrey McNeil]

http://www.ejinsight.com/20161229-hong-kong-airlines-
says-sorry-over-passenger-data-leak/

Hong Kong Airlines has issued a public apology after its Android mobile app
reportedly leaked personal data of more than a hundred of its passengers,
including their names, passport numbers and travel records.

The airline immediately suspended access to the app and a feature where
non-members can make enquiries, Ming Pao Daily reports.

It promised a thorough investigation of the incident and said it is
coordinating with a third-party agent to help prevent the repeat of such an
incident.

The company has also filed a report to the Office of the Privacy
Commissioner for Personal Data.

The OPCPD said leaking personal data of customers could have violated the
principles of data security, although it does not constitute a criminal
offense.

It said it will ask Hong Kong Airlines to introduce measures to plug the
loopholes.

The security breach was first discovered by a Hong Kong Airlines customer
surnamed Lam, Apple Daily reported.

Lam and his girlfriend logged into the app for online check-in as
non-registered guests.

As they were going through the process, they were surprised to see a list
of personal data of over a hundred other passengers available to anyone
using the app.

When clicked, the records revealed the full name, Hong Kong ID number,
flight information, seat number and boarding pass QR codes of the
passengers.

A computer programmer himself, Lam was shocked to see that his and his
girlfriend’s data was also on the list after they checked in online.

The two then canceled their online check-in record and repeated the process
after signing up and logging in as a member. This time, they did not see
their names and data appearing on the app again.

Lam believed the incident was a basic mistake on the programming side, and
could have been avoided easily.

The data leak could pose security risks to the passengers on the
compromised list.

A person can assume the name and passport number of one of the passengers,
and then download and print the boarding pass of the original ticket owner,
the report said.

Legislator Helena Wong Pik-wan said passenger names and passport numbers
are personal data and airlines could be held liable for violation of the
Personal Data (Privacy) Ordinance if such information are disclosed without
the owner’s consent.

Dr. Karl Leung Ping-hung, head of the Department of Information Technology
at the Hong Kong Institute of Vocational Education (Chai Wan), said the
airline’s system could have mistakenly granted access rights to app users
to see privileged information, Ming Pao Daily reported.

Leung said the same data breach could have happened on the iOS version of
the app.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161229/4fab7f5c/attachment.html>