Data security incident
#1
FlyerTalk Evangelist
Original Poster
Join Date: Jan 2008
Location: HEL
Programs: lots of shiny metal cards
Posts: 14,106
Data security incident
Just in:
"Dear RW,
We are writing to inform you that some of your Finnair frequent flyer data is unfortunately included in a recent data breach of a third-party information system used by our airline partners. SITA produces IT services for a large number of airlines and airports. Finnair does not use the service that was breached, but we share some frequent flyer data with partners who use this third-party service. This information is shared to ensure that we can serve our members, and to allow you to accrue and use your frequent flyer points. For the avoidance of any doubt, this data incident is not the result of any breach in Finnair IT systems.
We were informed about the breach over the past weekend and started investigating it immediately. The breached data includes member names, personal titles, frequent flyer numbers, tier information, and for some members, meal and seating preferences. Any other information, such as contact details, payment card details or passwords, is not included.
The breached data cannot be used to access Finnair Plus services. Accessing Finnair Plus services always requires a password, and we do not share password data among airlines or with other partners.
Based on our analysis, the nature of the breached data, and the information we have received from SITA, we believe that the risk of this data being misused in other contexts is relatively low, and we have not detected any unusual activity on Finnair Plus accounts.
However, as a standard precaution, we recommend you reset your Finnair Plus password. Please choose a unique password that you have not used in any other service. A strong password includes uppercase letters, lowercase letters, numbers and special characters, and is sufficiently long. It is good to remember that Finnair will never contact you to inquire about your login data. You can also contribute to your privacy by switching on two-factor authentication in the ‘Advanced security’ section of your Finnair Plus profile.
Investigations continue and we are monitoring the situation closely. We have also made a notification to the Finnish Data Protection Authority as required by law.
Your privacy is a priority for us. We are very sorry for the worry this situation may cause you.
More information is on SITA's website.
With kind regards,
Ole Orvér
Chief Commercial Officer, Finnair
"Dear RW,
We are writing to inform you that some of your Finnair frequent flyer data is unfortunately included in a recent data breach of a third-party information system used by our airline partners. SITA produces IT services for a large number of airlines and airports. Finnair does not use the service that was breached, but we share some frequent flyer data with partners who use this third-party service. This information is shared to ensure that we can serve our members, and to allow you to accrue and use your frequent flyer points. For the avoidance of any doubt, this data incident is not the result of any breach in Finnair IT systems.
We were informed about the breach over the past weekend and started investigating it immediately. The breached data includes member names, personal titles, frequent flyer numbers, tier information, and for some members, meal and seating preferences. Any other information, such as contact details, payment card details or passwords, is not included.
The breached data cannot be used to access Finnair Plus services. Accessing Finnair Plus services always requires a password, and we do not share password data among airlines or with other partners.
Based on our analysis, the nature of the breached data, and the information we have received from SITA, we believe that the risk of this data being misused in other contexts is relatively low, and we have not detected any unusual activity on Finnair Plus accounts.
However, as a standard precaution, we recommend you reset your Finnair Plus password. Please choose a unique password that you have not used in any other service. A strong password includes uppercase letters, lowercase letters, numbers and special characters, and is sufficiently long. It is good to remember that Finnair will never contact you to inquire about your login data. You can also contribute to your privacy by switching on two-factor authentication in the ‘Advanced security’ section of your Finnair Plus profile.
Investigations continue and we are monitoring the situation closely. We have also made a notification to the Finnish Data Protection Authority as required by law.
Your privacy is a priority for us. We are very sorry for the worry this situation may cause you.
More information is on SITA's website.
With kind regards,
Ole Orvér
Chief Commercial Officer, Finnair
#3
Join Date: Jun 2016
Programs: AY+ Platinum (OWE)
Posts: 31
Got the same message in Finnish. SITA is massive, I wonder how wide this breach is? "The company provides its services to around 400 members and 2,800 customers worldwide, which it claims is about 90% of the world's airline business." ref. https://en.wikipedia.org/wiki/SITA_(company)
#5
Join Date: Jun 2016
Programs: AY+ Platinum (OWE)
Posts: 31
2-factor doesn't change the fact that personal details were compromised due to the breach. I don't see how this breach "is a reason" for 2-factor. There are many good reasons to use 2-factor, but it doesn't save you from lost personal data due to data breaches...
#7
Join Date: May 2014
Location: HEL
Programs: AY+Plat, ALL Plat, Scandic L2
Posts: 3,620
On one hand, the general personal data constitute a treasure trove with which to perform impersonation and social engineering. It does not help that the Finnish ID number is non-random, used for basically everything, and so often blindly trusted.
And on the other hand, the customer numbers are of the ambiguous kind, like credit card numbers, where it's not really clear if it's supposed to be confidential or not, and thus, much like the Finnish ID number, it ends being trusted blindly trusted when it really should not.
Either ways, 2FA does not help here because passwords were supposedly not stolen. The problem is whenever the password is not needed.
#8
Join Date: May 2014
Location: HEL
Programs: AY+Plat, ALL Plat, Scandic L2
Posts: 3,620
Got the same message in Finnish. SITA is massive, I wonder how wide this breach is? "The company provides its services to around 400 members and 2,800 customers worldwide, which it claims is about 90% of the world's airline business." ref. https://en.wikipedia.org/wiki/SITA_(company)
#11
Join Date: Aug 2008
Location: TXL
Programs: US, LH, HH
Posts: 724
Originally Posted by Finnair
However, as a standard precaution, we recommend you reset your Finnair Plus password.
#12
Join Date: Aug 2019
Programs: AY+ Lumo, HH Diamond
Posts: 503
SITA characterised the approach as "highly sophisticated". I wonder why a group of that calibre would spend their efforts targeting this kind of data, which by AY and SQ accounts poses but a "very limited risk". Is there something we're not being told?
Changing passwords regularly is standard procedure even in normal times. Different password per site, high-entropy passwords, and let a password manager take care of them. 2-factor login wherever the inconvenience is not completely prohibitive. I would never store my credit card details on AY website no matter how convenient it may render buying tickets.
Changing passwords regularly is standard procedure even in normal times. Different password per site, high-entropy passwords, and let a password manager take care of them. 2-factor login wherever the inconvenience is not completely prohibitive. I would never store my credit card details on AY website no matter how convenient it may render buying tickets.
#13
Join Date: Aug 2008
Location: TXL
Programs: US, LH, HH
Posts: 724
#14
Join Date: Aug 2019
Programs: AY+ Lumo, HH Diamond
Posts: 503
#15
Join Date: Mar 2000
Posts: 938
My understanding is AY keeps your credit card details anyway if you ever bought a ticket from them. When I got my GDPR report from AY, it had my credit card numbers from years back (part of the number blacked out). I asked them to delete it but they replied they won't because they are required by law to keep some data blaahblaah. It is supposedly kept separate from other customer data.