ceannri

My wife discovered recently (when trying to do an upgrade with JPmiles) that 45,000 had gone missing from her account. A little research in her Inbox uncovered a missed email which named three people who had travelled on her account and a fourth who had booked the travel. Raised the issue with Jet Privilege, who maintained complete denial that anything untoward had happened and continue to maintain the position in the face of astonishing evidence. Basically my wife's account has hacked and Jet think thats ok. Very grave concerns over Jet Airways Customer Data Security. Any pointers as to how I can navigate this scenario to fraudsters punished, Jet Data Security Policy fixed and JP miles re-credited gratefully received.

Keyser

unfortunately the missed email will become a roadblock in getting your miles back from jet....they did their part by emailing your wife at her registered email address....if any fraudulent activity is taking part then it is up to the member to dispute the transaction....since you did not, they will stick to their grounds that they have no further obligation to do anything....as far as they are concerned the transaction was done by you....a member's account can be used to book for other people & the payment can also be done from anyone's credit card....

i faced a similar issue with a hotel loyalty program a few years ago....my account was hacked & someone tried to book a room using points from my account....i called them the moment i received an email confirmation that points had been deducted from my account & they took action immediately by refunding the points & cancelling the reservation....jet would have done the same had your wife called them when she received the email....

ceannri

Thanks Keyser for the reply, pretty well diagnosed. The key fact for Jet is that they have a hole in their data security and as far as I can tell they are willing to hide behind a bit of petty bureaucracy (you got the email) and pretend they don't have a problem. Airlines need to be all over their data security, there is data involved all the way from the passenger lists to the technical setup of an aircraft. Hacking a loyalty program is one step towards something far more sinister. In truth I am less concerned about the JPMiles, much more the attitude they are taking to a bona fide security breach. This is my small mission on behalf of the traveling public to bring a little attention to a problem of the future. Had a chat with the police, they think it might be a worthy case for the UK Action Fraud team (setup specifically for IT Fraud/Hacking). Lets see.....

SuperFlyBoy

I would still push the issue with JP.

JP is totally (expletives deleted) clueless - they cannot even interpret their *own* mileage chart and rules!

First, ask them to provide you the details as to how the awards were booked.

If this was an online transaction/booking, ask them to provide the IP addresses, times/dates and other relevant information (browser, OS, OS version) provided/logged to/by them.

Copy [email protected] to engage their "IT Department", if the transactions were done online.

If this was an in-person or telephone booking, ask them to provide the telephone number of the individual who called them and also ask for the recording of this conversation.

I would also file an FIR as this is clear theft. Advise them you would be doing this as well and ask for the senior manager in charge of such cases with JP.

Put everything in writing and obtain signed/stamped/dated copies of what you are handing over to them.

Anish

Threaten them with police/legal action and I think they will quietly restore your miles.

ceannri

Thank you for the comments. I have sent them the Police Report reference, seems not to be drawing a reaction. Plotting next steps, might well be heavily guided by SuperFlyBoy

ceannri

It seems the wheels of interdepartmental industry have been turning at Jet Airways and the missing miles have now been re-credited and an accompanying email requesting re-verification of contact details. I am hoping that this also means they have indeed investigated the incident and plugged the hole in their security. Thanks for the support and attention from the FlyerTalk community.

Keyser

great result....glad it all worked out....

kb9

Funnily enough, I logged into the forum to start a new thread about my own experience with being hacked-- and the first post I saw was about the same incident!

Earlier this week, I tried to log into my JP account and found the password has changed. When I tried to reset the password, it told me an email is being sent to an unrecognizable email. After writing to customer service, and forwarding older statement emails sent to my email ID, they asked for ID proof-- which I furnished-- and they said they are now investigating this.

The hacker seemed to have changed the email address associated with my account using my [email protected]. Not sure if this is a case of mistaken identity or fraudulent activity. The dumb thing their customer care person did is to CC the fraud email ID on all replies (including my ID cards which was attached to an earlier reply). Hope this doesn't turn into a case where I have to prove I'm the real McCoy.

AJLondon

Yikes. Are you saying the actual attachments (pdfs etc) of your IDs that you sent them were also included again on their response where they cc'd the fraudulent Id? Or was it just the same email trail where the added that email address, but didn't include again the attachments? If your actual ID's (pan, aadhar etc) were shared I would be very worried (and furious at Jet) and consider filing an FIR asap.

Keyser

jet has a habit of including all attachments to their replies....i've sent them passport copies in the past to book certain tickets & those attachments have been included in their replies....i wouldn't put it past them to be stupid enough to make this blunder....

kb9

Jet got back to me today saying they've completed their "investigation" and that they've been able to reinstate my account under my original email ID.

Once I logged in and reset my password-- my worst fear came true: There was an unauthorized redemption of 30,000 miles for a flight from HKG to BOM during the time when I didn't have access to my account.

I wrote back to Jet stating this and asked for them to reinstate my points. I can't figure out how someone was able to change my email ID, log in and redeem points. And because at the time of redemption-- the email was already changed to the fraudulent one-- I wasn't even able to get notified of the redemption.

@ceannri Let me know what ended up working for you? SuperFlyBoy listed great steps. Just checking if you followed all of it.

ceannri

Hi, sorry for delay, been away. I have no way of knowing for sure because of limited information from Jet, however..... My best guess is that is takes a lot of time to move the investigative items from team to team within the Jet organization so things do not actually get investigated at all and are automatically rejected after a certain time period. I believe the Police Report reference may have pushed my case to conclusion but very slowly. I don't believe I got any traction thru calling customer services except for getting the case re-activated again. I would get the problem reported to the police or another relevant authority and get a reference which you can quote in an email. All the other SuperFlyBoy steps look good if the initial Police reference fails. One last thing, I was surprised how easily a case went from apparently closed to being under investigation again, phone call or email should keep the case alive.

kb9

Thanks for that feedback. Wish me luck!

ceannri

Good Luck!!!!