Data security incident
 

Just in:

"Dear RW,
We are writing to inform you that some of your Finnair frequent flyer data is unfortunately included in a recent data breach of a third-party information system used by our airline partners. SITA produces IT services for a large number of airlines and airports. Finnair does not use the service that was breached, but we share some frequent flyer data with partners who use this third-party service. This information is shared to ensure that we can serve our members, and to allow you to accrue and use your frequent flyer points. For the avoidance of any doubt, this data incident is not the result of any breach in Finnair IT systems.

We were informed about the breach over the past weekend and started investigating it immediately. The breached data includes member names, personal titles, frequent flyer numbers, tier information, and for some members, meal and seating preferences. Any other information, such as contact details, payment card details or passwords, is not included.

The breached data cannot be used to access Finnair Plus services. Accessing Finnair Plus services always requires a password, and we do not share password data among airlines or with other partners.

Based on our analysis, the nature of the breached data, and the information we have received from SITA, we believe that the risk of this data being misused in other contexts is relatively low, and we have not detected any unusual activity on Finnair Plus accounts.

However, as a standard precaution, we recommend you reset your Finnair Plus password. Please choose a unique password that you have not used in any other service. A strong password includes uppercase letters, lowercase letters, numbers and special characters, and is sufficiently long. It is good to remember that Finnair will never contact you to inquire about your login data. You can also contribute to your privacy by switching on two-factor authentication in the ‘Advanced security’ section of your Finnair Plus profile.

Investigations continue and we are monitoring the situation closely. We have also made a notification to the Finnish Data Protection Authority as required by law.

Your privacy is a priority for us. We are very sorry for the worry this situation may cause you.

More information is on SITA's website.

With kind regards,
Ole Orvér
Chief Commercial Officer, Finnair

And the cherry on top - the provided link (I removed it from the post) to change the password ends up here


https://cimg8.ibsrv.net/gimg/www.fly...122a7288b9.png

Got the same message in Finnish. SITA is massive, I wonder how wide this breach is? "The company provides its services to around 400 members and 2,800 customers worldwide, which it claims is about 90% of the world's airline business." ref. https://en.wikipedia.org/wiki/SITA_(company)

Another reason for 2-factor :)

2-factor doesn't change the fact that personal details were compromised due to the breach. I don't see how this breach "is a reason" for 2-factor. There are many good reasons to use 2-factor, but it doesn't save you from lost personal data due to data breaches...

Good that at least now changing of the password works. Did not earlier today.

This.

On one hand, the general personal data constitute a treasure trove with which to perform impersonation and social engineering. It does not help that the Finnish ID number is non-random, used for basically everything, and so often blindly trusted.

And on the other hand, the customer numbers are of the ambiguous kind, like credit card numbers, where it's not really clear if it's supposed to be confidential or not, and thus, much like the Finnish ID number, it ends being trusted blindly trusted when it really should not.

Either ways, 2FA does not help here because passwords were supposedly not stolen. The problem is whenever the password is not needed.

Seems this also affects SQ, and to some extent, all other *A member airlines? That or we have two very coincidental leaks from the same company at the same time.

Likely this is the company that Malaysia was using when their whole Enrich program was breached.

I have yet to receive an email from Finnair, but I got a similar one from Scandic Hotels a few weeks ago.

When your standard precaution is to change passwords when they haven't been breached at all, your standard precautions are pretty terrible.

SITA characterised the approach as "highly sophisticated". I wonder why a group of that calibre would spend their efforts targeting this kind of data, which by AY and SQ accounts poses but a "very limited risk". Is there something we're not being told?

Changing passwords regularly is standard procedure even in normal times. Different password per site, high-entropy passwords, and let a password manager take care of them. 2-factor login wherever the inconvenience is not completely prohibitive. I would never store my credit card details on AY website no matter how convenient it may render buying tickets.

Regularly changing passwords is an outdated practice, changing a password that hasn't been leaked makes no sense.

Only a fraction of leaks is actually public and a much smaller fraction becomes public as it's happening, yet changing passwords is easy and effortless.

My understanding is AY keeps your credit card details anyway if you ever bought a ticket from them. When I got my GDPR report from AY, it had my credit card numbers from years back (part of the number blacked out). I asked them to delete it but they replied they won't because they are required by law to keep some data blaahblaah. It is supposedly kept separate from other customer data.