Apr 21, 2014, 11:37 am
Last edit by: Pat89339
A number of folks with award flights booked on CA (Air China) found their reservations cancelled. The only notification of cancellation appears to be an email in from UA written in chinese. UA reps confirmed that cancellations were made online and CA award space was no longer available. UA can rebook on other flights when award space is available.
It is plausible that a third party with access to PNR and pax name on the flight can fraudulently cancel an existing itinerary and book the reopened award seat.
Affected FlyerTalk members — with links to where in this discussion they posted their experiences — include:
It is plausible that a third party with access to PNR and pax name on the flight can fraudulently cancel an existing itinerary and book the reopened award seat.
Affected FlyerTalk members — with links to where in this discussion they posted their experiences — include:
- MikeMpls
- nihaoa
- lewende Reported 4 friends with this issue
- ordbkk
- twebst
- kb1992
- litesleeper
- zombietooth
- critten Reported 2/3 confirmations (3 people CA Business class) cancelled at the same time
- skyvanman Also 1 friend with the issue
- chris1234
- atiger29
- bubble o bill
- genemk2
- jefftiger
- CuddlyFlyer
- gpeso8
- imm2b
- acf1270
- dgxoxo
- ACM two passengers
It seems everybody wants to see the message.. here was mine:
united.com 通知 - 航班预订取消
2014年4月17日 (星期四)
united.com | 优惠促销 | 预订 | 赢取前程万里 (MileagePlus®) 奖励里程 | 我的帐户
先生 ORDBKK
您的预订 MYRES123 已取消,我们已收到您的退款申请。申请信用卡退款需 7 个工作日。如果信用卡退款未在一个付款周期内寄出,请联系信用卡公司。对于包括现金退款在内的 所有其他形式 的付款,需要 20 个工作日。
如需详细信息或查看退款的状态,请访问 united.com 并提供您的机票号码。
感谢您使用 united.com
电子邮件信息
请不要使用“回复”地址回复此邮件。
此电子邮件中的信息仅供原接收人使用。
如果您遇到技术问题,请通过电子邮件或电话联系 united.com 服务支持。
通知:机票取消确认
电子邮件地址: ORDBKK@MYEMAIL
2014年4月17日 (星期四)
united.com | 优惠促销 | 预订 | 赢取前程万里 (MileagePlus®) 奖励里程 | 我的帐户
先生 ORDBKK
您的预订 MYRES123 已取消,我们已收到您的退款申请。申请信用卡退款需 7 个工作日。如果信用卡退款未在一个付款周期内寄出,请联系信用卡公司。对于包括现金退款在内的 所有其他形式 的付款,需要 20 个工作日。
如需详细信息或查看退款的状态,请访问 united.com 并提供您的机票号码。
感谢您使用 united.com
电子邮件信息
请不要使用“回复”地址回复此邮件。
此电子邮件中的信息仅供原接收人使用。
如果您遇到技术问题,请通过电子邮件或电话联系 united.com 服务支持。
通知:机票取消确认
电子邮件地址: ORDBKK@MYEMAIL
Originally Posted by ordbkk View Post
For tracking purposes, I went through the 27 pages of this thread and compiled a list of those affected:
MikeMpls
nihaoa
lewende (reported 4 friends with this issue)
ordbkk
twebst
kb1992
litesleeper
zombietooth
critten
skyvanman (also 1 friend with the issue)
jefftiger (but, happened during October 2013)
So we're at 13 people affected, although some like critten have had multiple trips canceled.
From what I understand, all of these occurred in the last 3 weeks.
For tracking purposes, I went through the 27 pages of this thread and compiled a list of those affected:
MikeMpls
nihaoa
lewende (reported 4 friends with this issue)
ordbkk
twebst
kb1992
litesleeper
zombietooth
critten
skyvanman (also 1 friend with the issue)
jefftiger (but, happened during October 2013)
So we're at 13 people affected, although some like critten have had multiple trips canceled.
From what I understand, all of these occurred in the last 3 weeks.
2014 UA Issued Awards on Air China (CA) Are Mysteriously Being Canceled (Hacked?)
Apr 25, 2014, 10:04 am
#646
FlyerTalk Evangelist
Join Date: Apr 2008
Location: LGA/JFK/EWR
Programs: UA 1K1.75MM, Hyatt Globalist, abandoned Marriott LTT (RIP SPG), Hertz PC
Posts: 21,172
Gary linked to it (didn't write about it), but Matthew did a nice interesting write-up (http://upgrd.com/matthew/mysterious-...leageplus.html)
Apr 25, 2014, 10:05 am
#647
Suspended
Join Date: May 2011
Location: SFO
Programs: UA 1K
Posts: 1,961
Or maybe UA could hire some 'white hat' hackers to cancel the reservations stolen by the 'black hat' hackers so that UA can grab the seats back. 
Apr 25, 2014, 10:05 am
#648
Join Date: Jan 2010
Location: CGK/LAX
Programs: KF,JMB, OZ, SPG,AA,UA,AS
Posts: 1,163
United was a pain to deal with when this happened to me in December (see above). One rep told me it was impossible for anyone but me to have cancelled the ticket and that I must have done it by mistake. Hopefully, now that they are aware of it they will be more accommodating but they certainly were not accommodating to me in December.
In the end, I paid $200 to get my miles refunded back to my account and ended up booking a ticket on CX through AA...
In the end, I paid $200 to get my miles refunded back to my account and ended up booking a ticket on CX through AA...
Apr 25, 2014, 10:06 am
#649
Join Date: Dec 2001
Location: Washington, DC, USA
Programs: UA-1Kmm, AA-EX Plt mm-, Hilton Diamond,
Posts: 1,093
I'm not sure that UA would access to that information without cooperation from CA. Nor does it seem likely that UA really has any true recourse against a rogue individual in China cancelling reservations. If it were coming from within CA, that'd be a very different story, but I can't imagine UA ever actually figuring that out. The fact remains that UA just needs to implement some minimal security to verify ownership of the account before cancelling a reservation.
Apr 25, 2014, 10:32 am
#650
Join Date: Dec 2013
Posts: 163
I absolutely agree. I think there's huge potential liability against United in this case as these cancellations could amount to more than a mere breach of contract, but rather UA's inability to safeguard access to the record.
Apr 25, 2014, 10:33 am
#651
Join Date: Mar 2013
Location: India, & Great State of TEXAS
Programs: AA EX-Plat ** , UA 1K, IHG platinum
Posts: 102
In early January I was supposed fly back to the US from Asia and had two Air China Segments (SIN-PEK in J) and (PEK-LAX in F).
On December 25, 2013 I received an e-mail in Chinese stating that my reservation had been canceled and they had received my refund request. Calling UA from out of the country was a huge hassle and I ended up wasting a lot of time getting this sorted out as availability on the PEK-LAX flight was gone.
I did call Air China to get my seat assignment about a week before this happened.
On December 25, 2013 I received an e-mail in Chinese stating that my reservation had been canceled and they had received my refund request. Calling UA from out of the country was a huge hassle and I ended up wasting a lot of time getting this sorted out as availability on the PEK-LAX flight was gone.
I did call Air China to get my seat assignment about a week before this happened.
Any one recently booked and traveled on an award ticket with CA biz. Segment in it? All reports are about cancellation only. I am trying to figure out if all are getting kicked out or just the lucky victims!! (just trying to humor out of frustration). Calling UA didn't yield anything positive. No answer from 1K.voice. checking reservation every time on UA.app.on the phone.
Apr 25, 2014, 10:33 am
#652
Suspended
Join Date: May 2011
Location: SFO
Programs: UA 1K
Posts: 1,961
Wouldn't the liability be against CA, since they are the ones disclosing the record locator? Good luck suing them in China.
Apr 25, 2014, 10:33 am
#653
Join Date: Jul 2010
Programs: UA
Posts: 255
Maybe you can try to get $200 refunded this time. There is already one case successful.
United was a pain to deal with when this happened to me in December (see above). One rep told me it was impossible for anyone but me to have cancelled the ticket and that I must have done it by mistake. Hopefully, now that they are aware of it they will be more accommodating but they certainly were not accommodating to me in December.
In the end, I paid $200 to get my miles refunded back to my account and ended up booking a ticket on CX through AA...
In the end, I paid $200 to get my miles refunded back to my account and ended up booking a ticket on CX through AA...
Apr 25, 2014, 10:39 am
#654
Join Date: Dec 2013
Posts: 163
There's probably a good argument against them, too. Though I'm not sure any of us really knows who is leaking the information to whom and how. But ultimately, it seems like we all agree that the problem in this case is that United doesn't have adequate checks in place to ensure that the information isn't used improperly. The question would seem to be whether United is taking reasonable precautions to protect against foreseeable unauthorized access.
Apr 25, 2014, 11:02 am
#655
Join Date: Oct 2012
Location: Chicago
Programs: UA 1k
Posts: 83
I'm not sure the locator is considered private/sensitive data. United emails it in plain text, not to mention the website transmitting it without encryption. A record locator by itself should not enable a person to see or do anything, it should always be accompanied by identity verification - information which does not get passed around the way a record locator does.
Apr 25, 2014, 11:06 am
#656
FlyerTalk Evangelist
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Titanium; Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 10,160
United was a pain to deal with when this happened to me in December (see above). One rep told me it was impossible for anyone but me to have cancelled the ticket and that I must have done it by mistake. Hopefully, now that they are aware of it they will be more accommodating but they certainly were not accommodating to me in December.
In the end, I paid $200 to get my miles refunded back to my account and ended up booking a ticket on CX through AA...
In the end, I paid $200 to get my miles refunded back to my account and ended up booking a ticket on CX through AA...
Specific language and all.......
Apr 25, 2014, 11:19 am
#657
FlyerTalk Evangelist
Join Date: Feb 2007
Location: Los Angeles / Basel
Programs: UA 1K MM, AA EXP, Hyatt Globalist
Posts: 26,930
I can't believe you would say that. I'm not Gary or Ben, but I did write about it two days ago.
Apr 25, 2014, 11:31 am
#658
FlyerTalk Evangelist
Join Date: Dec 2007
Location: BOS/ORH
Programs: AS 75K
Posts: 18,323
Now we're up to 20 independent reports of this happening.
Where is the media? And where are the travel bloggers?
20 people having their travel plans disrupted isn't a stop-the-presses story, but UA's insecure handling of its customers' reservations would surely be of interest to many people, and it deserves public scrutiny.
Where is the media? And where are the travel bloggers?
20 people having their travel plans disrupted isn't a stop-the-presses story, but UA's insecure handling of its customers' reservations would surely be of interest to many people, and it deserves public scrutiny.
Apr 25, 2014, 12:21 pm
#659
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.997MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,861
Apr 25, 2014, 12:30 pm
#660
FlyerTalk Evangelist
Join Date: Feb 2007
Location: Los Angeles / Basel
Programs: UA 1K MM, AA EXP, Hyatt Globalist
Posts: 26,930
Heck, you can pick up the phone, call 1800United1, and get anyone's PNR if you know their last name and flight details.
And the sinister thing is that you can pull up people's info just by using common names.
Auto recognition sucks and HAL is quite liberal in suggesting names.