Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

2014 UA Issued Awards on Air China (CA) Are Mysteriously Being Canceled (Hacked?)

2014 UA Issued Awards on Air China (CA) Are Mysteriously Being Canceled (Hacked?)

    Hide Wikipost
Old May 13, 14, 4:42 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: Pat89339
Wiki Link
A number of folks with award flights booked on CA (Air China) found their reservations cancelled. The only notification of cancellation appears to be an email in from UA written in chinese. UA reps confirmed that cancellations were made online and CA award space was no longer available. UA can rebook on other flights when award space is available.

It is plausible that a third party with access to PNR and pax name on the flight can fraudulently cancel an existing itinerary and book the reopened award seat.

Affected FlyerTalk members — with links to where in this discussion they posted their experiences — include:
  1. MikeMpls
  2. nihaoa
  3. lewende Reported 4 friends with this issue
  4. ordbkk
  5. twebst
  6. kb1992
  7. litesleeper
  8. zombietooth
  9. critten Reported 2/3 confirmations (3 people CA Business class) cancelled at the same time
  10. skyvanman Also 1 friend with the issue
  11. chris1234
  12. atiger29
  13. bubble o bill
  14. genemk2
  15. jefftiger
  16. CuddlyFlyer
  17. gpeso8
  18. imm2b
  19. acf1270
  20. dgxoxo
  21. ACM two passengers
Originally Posted by ordbkk View Post
It seems everybody wants to see the message.. here was mine:
united.com 通知 - 航班预订取消
2014年4月17日 (星期四)
united.com | 优惠促销 | 预订 | 赢取前程万里 (MileagePlus®) 奖励里程 | 我的帐户

先生 ORDBKK
您的预订 MYRES123 已取消,我们已收到您的退款申请。申请信用卡退款需 7 个工作日。如果信用卡退款未在一个付款周期内寄出,请联系信用卡公司。对于包括现金退款在内的 所有其他形式 的付款,需要 20 个工作日。

如需详细信息或查看退款的状态,请访问 united.com 并提供您的机票号码。

感谢您使用 united.com

电子邮件信息
请不要使用“回复”地址回复此邮件。
此电子邮件中的信息仅供原接收人使用。
如果您遇到技术问题,请通过电子邮件或电话联系 united.com 服务支持。
通知:机票取消确认
电子邮件地址: [email protected]

Originally Posted by ordbkk View Post
For tracking purposes, I went through the 27 pages of this thread and compiled a list of those affected:

MikeMpls
nihaoa
lewende (reported 4 friends with this issue)
ordbkk
twebst
kb1992
litesleeper
zombietooth
critten
skyvanman (also 1 friend with the issue)
jefftiger (but, happened during October 2013)

So we're at 13 people affected, although some like critten have had multiple trips canceled.
From what I understand, all of these occurred in the last 3 weeks.
Print Wikipost

Old Apr 23, 14, 11:19 pm
  #556  
 
Join Date: Mar 2012
Programs: UA/MM/1K
Posts: 178
2014 UA Issued Awards on Air China (CA) Are Mysteriously Being Canceled (Hacked?)

How about a simple solution...canceling award booking should also require the PIN number for the MP account where the miles came from and preventing CA to cancel 016 bookings.
acesflyerSFO is offline  
Old Apr 23, 14, 11:27 pm
  #557  
Suspended
 
Join Date: May 2011
Location: SFO
Programs: UA 1K
Posts: 1,955
Originally Posted by acesflyerSFO View Post
How about a simple solution...canceling award booking should also require the PIN number for the MP account where the miles came from and preventing CA to cancel 016 bookings.
It's conceptually simple, but I wouldn't expect UA (or any airline) to be able to implement it overnight. You're asking to create a whole new verification check on the website that never existed before. They also undoubtedly have some fairly extensive deployment process for pushing out new code to their servers. I expect they could do it, but it would take them weeks, not days.

(You want this to apply to changes, too, right? Otherwise the hacker could just change your flights, which from the point of view of inventory is as good as cancelling them. There are a number of things like this that you need to think about.)
DaviddesJ is offline  
Old Apr 24, 14, 12:16 am
  #558  
FlyerTalk Evangelist
 
Join Date: Oct 2006
Location: SFO/SJC
Programs: UA Silver, Marriott Gold, Hilton Gold
Posts: 13,710
Originally Posted by DaviddesJ View Post
It's conceptually simple, but I wouldn't expect UA (or any airline) to be able to implement it overnight. You're asking to create a whole new verification check on the website that never existed before. They also undoubtedly have some fairly extensive deployment process for pushing out new code to their servers. I expect they could do it, but it would take them weeks, not days.
+1.

I've worked on company intranet/internet sites before - not on the programing side, but on the content/management/QA side (working with the team that codes). Sounds easy, but takes time to code, test, QA, etc. And the sites I've worked on are much less complicated than UAs. While also hard to believe, I've also found through this experience that sometimes, the changes that sound more complicated are actually the easiest to implement, while the ones that sound the easiest can take the longest to implement.
emcampbe is offline  
Old Apr 24, 14, 12:57 am
  #559  
 
Join Date: Dec 2000
Location: Seat 1A
Programs: Non-status paid F/J (best value for $$$)
Posts: 4,092
Originally Posted by acesflyerSFO View Post
How about a simple solution...canceling award booking should also require the PIN number for the MP account where the miles came from and preventing CA to cancel 016 bookings.
A even more simpler (and short term) solution would be for United to disable the "cancel booking" function and require the passenger to call the call center to cancel the booking.
daniellam is offline  
Old Apr 24, 14, 1:09 am
  #560  
Suspended
 
Join Date: May 2011
Location: SFO
Programs: UA 1K
Posts: 1,955
Originally Posted by daniellam View Post
A even more simpler (and short term) solution would be for United to disable the "cancel booking" function and require the passenger to call the call center to cancel the booking.
Talk about throwing out the baby with the bathwater. And 'change flights' too, of course? Millions of people use these services, you know. An even simpler solution would be for UA to shut down operations. Then there would never be any hacking at all.
DaviddesJ is offline  
Old Apr 24, 14, 4:14 am
  #561  
 
Join Date: Aug 2007
Location: IAH
Programs: UACO Plat/1K, DL Plat, Hertz 5*, Avis - PC, SPG Gold, Colorado Pass
Posts: 228
Just got cancelled

IAH-PEK-ICN-PEK-IAH in I x 2 for a trip in May. Received something chinese in an email. Not happy. Will have to make some phone calls soon.

Last edited by atiger29; Apr 24, 14 at 4:15 am Reason: added fare class
atiger29 is offline  
Old Apr 24, 14, 4:27 am
  #562  
 
Join Date: Jul 2000
Location: AUH
Posts: 7,926
Originally Posted by DaviddesJ View Post
Talk about throwing out the baby with the bathwater. And 'change flights' too, of course? Millions of people use these services, you know. An even simpler solution would be for UA to shut down operations. Then there would never be any hacking at all.
Talk about an overreaction yourself.

I'd say most FFPs that I'm a member of require me to call in order to cancel an award - it's nowhere near as outlandish as you seem to suggest. In fact, I'm surprised that it involves so little security to cancel as it stands currently.

In light of the apparent breach of security, I agree that disabling the online cancel option is by far the best solution on the balance.
stargold is online now  
Old Apr 24, 14, 4:50 am
  #563  
 
Join Date: Sep 2006
Location: CLE
Programs: CO Gold - 1MM, IC Plat, Hertz PC
Posts: 1,644
Originally Posted by atiger29 View Post
IAH-PEK-ICN-PEK-IAH in I x 2 for a trip in May. Received something chinese in an email. Not happy. Will have to make some phone calls soon.
This just happened today?
CLEHillbilly is offline  
Old Apr 24, 14, 5:38 am
  #564  
 
Join Date: Aug 2007
Location: IAH
Programs: UACO Plat/1K, DL Plat, Hertz 5*, Avis - PC, SPG Gold, Colorado Pass
Posts: 228
Originally Posted by CLEHillbilly View Post
This just happened today?
Yep. 4:53am CST. I had been monitoring this thread thanks to the OP. I guess everyone should be forewarned if booked with CA.
atiger29 is offline  
Old Apr 24, 14, 6:56 am
  #565  
 
Join Date: May 2012
Programs: Delta Plat, UA Plat, Hilton Diamond, SPG Gold
Posts: 255
Originally Posted by atiger29 View Post
Yep. 4:53am CST. I had been monitoring this thread thanks to the OP. I guess everyone should be forewarned if booked with CA.
I'll PM you some contacts. Good luck getting rebooked. Seems IAH-PEK is popular :P They put me on IAH-SFO-PEK Dreamliner, 747-400
critten is offline  
Old Apr 24, 14, 7:22 am
  #566  
 
Join Date: Jul 2013
Location: DAY/CMH
Programs: UA MileagePlus
Posts: 2,473
Originally Posted by emcampbe View Post
....I've also found through this experience that sometimes, the changes that sound more complicated are actually the easiest to implement, while the ones that sound the easiest can take the longest to implement.
I'm a developer. I frequently tell my users there is no correlation between the value of a feature and the effort required to implement it.
ajGoes is offline  
Old Apr 24, 14, 7:31 am
  #567  
FlyerTalk Evangelist
 
Join Date: Dec 2007
Location: BOS/ORH
Programs: AS 75K
Posts: 18,234
Originally Posted by critten View Post
I'll PM you some contacts. Good luck getting rebooked. Seems IAH-PEK is popular :P They put me on IAH-SFO-PEK Dreamliner, 747-400
Well IAH/PEK is still open for my date so hopefully i'm safe but doubt it I'd be curious as to what routes are the ones being cancelled.

Im debating switching now to a different routing. Really wanted to try CA F but it seems the seat in 777-300ER isnt much different than the TG A380 F seat.
CDKing is offline  
Old Apr 24, 14, 7:35 am
  #568  
 
Join Date: Aug 2011
Location: 10^7 mm from Ȱ
Programs: Hyatt D/HHonors D/ SPG P/ Marriott P/ IHG P/ UA 1K/ AA EXP/ DL D
Posts: 1,959
Originally Posted by stargold View Post
Talk about an overreaction yourself.

I'd say most FFPs that I'm a member of require me to call in order to cancel an award - it's nowhere near as outlandish as you seem to suggest. In fact, I'm surprised that it involves so little security to cancel as it stands currently.

In light of the apparent breach of security, I agree that disabling the online cancel option is by far the best solution on the balance.
+1
lewende is offline  
Old Apr 24, 14, 7:37 am
  #569  
 
Join Date: Jul 2003
Location: BOS, PVG
Programs: United Global Services and 1MM, Marriott Ambassador
Posts: 9,237
Originally Posted by DaviddesJ View Post
Talk about throwing out the baby with the bathwater. And 'change flights' too, of course? Millions of people use these services, you know. An even simpler solution would be for UA to shut down operations. Then there would never be any hacking at all.
Have to agree on this.

Disabling online "cancel" function is bad. Don't mind a PIN requirement.
kb1992 is offline  
Old Apr 24, 14, 8:10 am
  #570  
FlyerTalk Evangelist
 
Join Date: Dec 2007
Location: BOS/ORH
Programs: AS 75K
Posts: 18,234
Originally Posted by kb1992 View Post
Have to agree on this.

Disabling online "cancel" function is bad. Don't mind a PIN requirement.
Temporary disabling of the ability to cancel online until the PIN based requirement can be implimented sounds like an excellent idea.

I'm not sure why UA cannot just lock specific reservations from changes. I mean what does their corporate security do when they investigate a MP account for fraud? Surely they lock things down

Last edited by CDKing; Apr 24, 14 at 8:17 am
CDKing is offline  

Thread Tools
Search this Thread