Airpoints Data Breach

Reply

Old Aug 12, 19, 1:01 pm
  #46  
 
Join Date: Dec 2014
Programs: NZ*Elite *G, QF*G, SPG*Platinum, Accor*Platinum, Hilton*Gold
Posts: 979
When a customer gets near to achieving their banked year with many months to go before their anniversary date I would think that is a significant relationship
My realisation point is banking and then receiving my Elite gift, a was pointless relationship to continue given there was no significance in achieving that. I still kept the email tho....

Also a comment on secure access and 2FA may not be as relevant if staff are working off data extracts and spreadsheets because it would be easier to manipulate locally (this happens more common that one might think). There are no details on whether this happened so I can only speculate.
dadig is offline  
Reply With Quote
Old Aug 12, 19, 1:17 pm
  #47  
 
Join Date: Apr 2013
Location: New Zealand (most of the time)
Programs: NZ Elite *G, HHonors Diamond, IHG Platinum Elite
Posts: 4,373
The key thing here which Air NZ have not mentioned (and I can understand why they haven't because they hadn't had a password leak) is to ensure that if you're somebody who uses the same password across multiple websites that you immediately change your Airpoints password.

While Air NZ hasn't had passwords compromised, email addresses have been compromised, and if your email address and password has been compromised in any of the other large scale security lapses then your Airpoints account is at risk. If the Airpoints password you use is in the haveibeenpwned database you should immediately change it.

But I'm sure nobody on here is stupid enough to have such poor security that they reuse passwords across sites..
sbiddle is offline  
Reply With Quote
Old Aug 12, 19, 1:53 pm
  #48  
 
Join Date: Nov 2017
Posts: 417
Originally Posted by drajknox View Post


The naivety in the above post is remarkable. Spam filters mis-sort and take time to check. How can you tell a number you donít know is a spam call - sometimes obvious if from another country but not always. You would be surprised how easily the divulged information could be used with other publically available info to carry out identity theft which may have a wide range of consequences. While you seem naive to this some of us are not - perhaps one day you will treat these matters less frivolously.
You have given out yours phone number to friends and family only, so as that is the concern, when you glance and see a phone number that your phone has labelled "SPAM" or a phone number from a strange overseas number, no, I don't think it's going to take a significant time chunk out of yoir life to just filter them...

Spam phone numbers very quickly get labelled as "SPAM" and no you don't have to do anything to set that up.

I am a stickler for protecting my time, this is definitely not one area I lose sleep over 🤷

You seem to have added identity theft into the discussion, quoting a post when I was literally just talking about time lost due to spam calls...
Eltham likes this.

Last edited by kiwifrequentflyer; Aug 13, 19 at 2:06 am
kiwifrequentflyer is offline  
Reply With Quote
Old Aug 12, 19, 2:29 pm
  #49  
 
Join Date: Jan 2016
Posts: 931
Companies get pwned everyday. Yes sure would be good if they didn't, but until the board actually understands the importance of the money sink which is security. (Not sure if applicable on this case).

Is it annoying yes. Am I going to lose sleep no. Unfortunately part of life.

As for people mentioning the delay between breach and notification. This is normal and better as allows them to understand the issue and issue accurate information. This allows the IR team to actually respond to the incident. And they won't be issuing different statements every hour as they learn things, which is worse.
nzkarit is offline  
Reply With Quote
Old Aug 13, 19, 4:17 am
  #50  
 
Join Date: Aug 2009
Location: AKL
Programs: NZ Silver
Posts: 1,732
Originally Posted by sbiddle View Post
But I'm sure nobody on here is stupid enough to have such poor security that they reuse passwords across sites..
Guilty....I probably have 5-6 passwords for >100 sites....I am curious to learn how people are supposed to remember which password is for which, if you have a different password for each log in?
brenrox is offline  
Reply With Quote
Old Aug 13, 19, 6:03 am
  #51  
 
Join Date: Jul 2019
Posts: 2
Originally Posted by brenrox View Post
Guilty....I probably have 5-6 passwords for >100 sites....I am curious to learn how people are supposed to remember which password is for which, if you have a different password for each log in?
I think people use password managers such as LastPass, which can store and generate passwords for you. Obviously making sure that the master password for their LastPass account is very secure and pretty much the only password you have to remember!
kiwifrequentflyer likes this.
sonyxperiageek is offline  
Reply With Quote
Old Aug 13, 19, 1:17 pm
  #52  
 
Join Date: Apr 2013
Location: New Zealand (most of the time)
Programs: NZ Elite *G, HHonors Diamond, IHG Platinum Elite
Posts: 4,373
Yip it's normal to use a password manager these days to store all passwords. Whether it be 1password, Lastpass (who are two of the biggest) or one of the many other solutions out there It makes life so much easier, especially on a phone or laptop where you can simply use a fingerprint reader as well to login to all services.
sbiddle is offline  
Reply With Quote
Old Aug 13, 19, 4:53 pm
  #53  
 
Join Date: Dec 2012
Location: New Zealand
Programs: Air NZ *E
Posts: 58
My spam has exponentially increased since the breach, plus a couple of suspect text messages. The spam all goes to Junk usually anyway, so not a big deal.
JayKiwi is offline  
Reply With Quote
Old Aug 13, 19, 6:23 pm
  #54  
 
Join Date: Jun 2008
Location: Auckland
Programs: NZ Elite Partner/Silver (in own right), PR Elite, QF Bronze, UA Member, VA Red
Posts: 1,305
Originally Posted by sbiddle View Post
Yip it's normal to use a password manager these days to store all passwords. Whether it be 1password, Lastpass (who are two of the biggest) or one of the many other solutions out there It makes life so much easier, especially on a phone or laptop where you can simply use a fingerprint reader as well to login to all services.
It should be normal - know one I regularly interact with (close work colleagues or family) do that
jeffrocowboy is offline  
Reply With Quote
Old Aug 13, 19, 6:42 pm
  #55  
 
Join Date: Aug 2007
Location: New Zealand
Programs: Many banked years
Posts: 219
What else was breached that they are avoiding saying?

I received a response from a generic privacy address (interesting how they choose to hide) stating that compromised data includes:
  • Full name and title
  • Phone numbers (home, mobile)
  • Email address
  • Physical address
  • Mailing city and country
  • Airpoints number
  • Frequent flyer tier details:
    • Status points balance details
    • Number of flights taken


What was not stated was whether this was all the data, so I responded asking for an assurance that this was ALL the data exposed, this was greeted by silence.

So while they have said what has been they have not been definitive in saying what has not. They have also avoided saying they do not know or are not sure.

Their privacy page says:

At Air New Zealand, we know that being open, transparent and honest will enable you to trust us.

We know these rights are very important to you. For us, they form a big part of our culture to ensure that customers are at the core of everything we do. We're committed to 'think privacy & do the right thing'.

I find their behaviour to be anything but in accordance with those statements. At least a 12 day delay in advising customers after they knew is not reasonable or professional, and the disingenuous half truth responses are simply appalling.

I have deleted my contact details, passport, credit card and most other details excluding snow unique email address that only they have for me. I have also advised them until I get satisfactory answers to my questions I will not be making any further bookings and I will be taking this to the media because bad behaviour needs plenty of sunlight.
Kiwi_FF is offline  
Reply With Quote
Old Aug 13, 19, 8:06 pm
  #56  
 
Join Date: Aug 2007
Location: New Zealand
Programs: Many banked years
Posts: 219
Update

In fairness I should add that shortly after the post above I received call from an AirNZ privacy officer to say that the only other data of mine hacked was an email thread concerning a recent survey.
Kiwi_FF is offline  
Reply With Quote
Old Aug 13, 19, 8:43 pm
  #57  
 
Join Date: Jan 2013
Posts: 189
Originally Posted by brenrox View Post
Guilty....I probably have 5-6 passwords for >100 sites....I am curious to learn how people are supposed to remember which password is for which, if you have a different password for each log in?
Highly recommend LastPass, it chooses complex passwords for you.

A quick Google of your username could allow me to Socially Engineer a lot about your life so by posting on a forum that you only have 5-6 passwords is not a good idea
kiwifrequentflyer likes this.
Shamrock55 is offline  
Reply With Quote
Old Aug 14, 19, 2:59 am
  #58  
 
Join Date: Mar 2005
Location: PPQ/WLG/BKK
Programs: TG*G, Accor Gold
Posts: 7,175
Originally Posted by Shamrock55 View Post
Highly recommend LastPass, it chooses complex passwords for you.

A quick Google of your username could allow me to Socially Engineer a lot about your life so by posting on a forum that you only have 5-6 passwords is not a good idea
Indeed! A fellow FTer easily tracked me down in real life based on my handle and post content - an old friend, so no drama.

But it did open my eye to how much information exists, supported by some decent guesses...
Thai-Kiwi is offline  
Reply With Quote
Old Aug 14, 19, 4:38 am
  #59  
 
Join Date: Aug 2009
Location: AKL
Programs: NZ Silver
Posts: 1,732
Originally Posted by Shamrock55 View Post
Highly recommend LastPass, it chooses complex passwords for you.

A quick Google of your username could allow me to Socially Engineer a lot about your life so by posting on a forum that you only have 5-6 passwords is not a good idea
Thanks, have signed up...I always assumed having all your passwords stored in one place was a recipe for disaster, but seems it is all encrypted....at least those 5-6 didn't include 'password1' or my name
brenrox is offline  
Reply With Quote
Old Aug 14, 19, 1:46 pm
  #60  
 
Join Date: Nov 2017
Posts: 417
Originally Posted by Thai-Kiwi View Post
Indeed! A fellow FTer easily tracked me down in real life based on my handle and post content - an old friend, so no drama.

But it did open my eye to how much information exists, supported by some decent guesses...
I am 99% certain if any of my RL friends discover this, forum, they will be able to identify me in a heartbeat
Thai-Kiwi likes this.
kiwifrequentflyer is offline  
Reply With Quote

Thread Tools
Search this Thread