UA Hacked by Same Group that Hit US OPM
#16
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,850
Topic Check
As this is the UA Forum, posts should related to UA, ones' experience flying with UA or using the UA MP program. Other topics, such as the nature of journalism or security / account breaks with other corporations / organizations, or the broad geopolitical hacking issues are not on topic -- there are other forums on FT for all of those.
WineCountryUA
UA coModerator
As this is the UA Forum, posts should related to UA, ones' experience flying with UA or using the UA MP program. Other topics, such as the nature of journalism or security / account breaks with other corporations / organizations, or the broad geopolitical hacking issues are not on topic -- there are other forums on FT for all of those.
WineCountryUA
UA coModerator
#18
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
#19
Join Date: Oct 2009
Location: Central NJ
Programs: UA 1MM+ - Gold, Hilton Gold, Marriott Gold
Posts: 187
I just had fraud activity on my credit card in the past 5 days. I logged into my credit card account and found a flight from UA booked. (evidently I was going to the DR in 10 days!)
I called the credit card and they immediately closed the account then sent me a new card.
I called UA to get details on the ticket and I have to say my experience with customer service was concerning.
This credit card was stored in my account, but I asked if they could tell if the ticket was booked with the card stored in my account or if it was done separately (ie my card was compromised outside of UA). I feel this is a large question of fact since if it is former then UA has bigger issues and I need to do something with my account (thank fully I have no miles in my account so they really can't do much damage to my account).
Essentially the CSR I spoke with either didnt understand my point or didn't care too.
I have already changed all my pins and passwords (which I hate that I have 2 for UA), but I still feel they should be able to answer this simple question for internal investigations.
I called the credit card and they immediately closed the account then sent me a new card.
I called UA to get details on the ticket and I have to say my experience with customer service was concerning.
This credit card was stored in my account, but I asked if they could tell if the ticket was booked with the card stored in my account or if it was done separately (ie my card was compromised outside of UA). I feel this is a large question of fact since if it is former then UA has bigger issues and I need to do something with my account (thank fully I have no miles in my account so they really can't do much damage to my account).
Essentially the CSR I spoke with either didnt understand my point or didn't care too.
I have already changed all my pins and passwords (which I hate that I have 2 for UA), but I still feel they should be able to answer this simple question for internal investigations.
#20
FlyerTalk Evangelist
Join Date: Aug 2005
Location: BOS/EAP
Programs: UA 1K, MR LTT, HH Dia, Amex Plat
Posts: 32,038
Regarding UA ... I don't store any CC details on their site ... apparently for good reasons
#21
FlyerTalk Evangelist
Join Date: Mar 2014
Location: 4éme
Posts: 12,038
For this type of data, disclosure requirements are defined by State Law not Federal. And each state that does have disclosure requirements also has their own definition of a breach and what data elements must be affected in order to trip the notification requirement. For example, some states require that data be in electronic form for the notification requirement to kick in.
#22
Join Date: May 2012
Location: ORF, RIC
Programs: UA LT 1K, 3 MM; Marriott Titanium; IHG Platinum
Posts: 6,958
I really like the following quotes from Forbes article: http://www.forbes.com/sites/danielre...rtner=yahootix
Taken together, the three events (and other widely-publicized negative events in the past 12 months) paint a picture of a house in disorder at United. It doesn’t help that United officials keep offering up implausible and/or weak explanations for their problems and continue to ignore (at least publicly) the mounting evidence of a company that’s not in full control of itself. ...
Officials at the world’s second-largest airline previously tried to dismiss both of the system disruptions this summer – especially the second one, which effectively grounded the airline for nearly three hours on a peak summer vacation travel day - as minor technical glitches that got more news attention than they deserved. But nobody paying even half-way close attention is buying it.
Last edited by WineCountryUA; Jul 30, 2015 at 12:49 pm Reason: formated quoted content
#23
Join Date: May 2009
Location: EWR
Programs: UA .5M, Vistana 1-Star owner
Posts: 992
With all of UA's massive secrecy, a Snowden-like leak would do well to service the whole world better by putting all their problems out in the open where public accountability will get them to make the changes they'll not only refuse to do but reply defiantly, perhaps by sending lawyers instead of a solution.
#25
Join Date: Nov 2003
Location: Houston
Programs: UA: MM
Posts: 844
How so? To tell you who has lighter security? It'd still be hard to tell what most people look like. And even if you knew the demographic info (name, date of birth, KTN, etc.) of people who had precheck, even if you do buy a boarding pass with that info, you'd still have to present a matching ID at the podium.
<snip>
<snip>
1. Old fashoned identity theft.
2. Social engineering to get the trusted travler to act as the mule.
We tend to think of these ask short-term/imeadiate reward criminal events. But there is a long game too and if you have bad intentions, any data collected over time can be an advantage.
(To drags this back to United...) I think UA/CO (along with AA) was one of the first airlines to test the PreCheck process with their frequient flyers. They basically vouched for thier FF. I was in Global Entry rev.1 so I didn't follow that path, but I seem to recall them offering it up. Perhaps the TSA recognized this as a weekens and that is why they pulled the plug and now required trusted travelers to go through the entire process.
FWIW
DLM
#26
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
Every attack has to start somewhere. If you were looking to get a person (or item) on an aircraft one method would be to target someone with a known lower threat profile (and yes, PreCheck IS profiling...) This could manifest itself in two ways:
1. Old fashoned identity theft.
2. Social engineering to get the trusted travler to act as the mule.
We tend to think of these ask short-term/imeadiate reward criminal events. But there is a long game too and if you have bad intentions, any data collected over time can be an advantage.
(To drags this back to United...) I think UA/CO (along with AA) was one of the first airlines to test the PreCheck process with their frequient flyers. They basically vouched for thier FF. I was in Global Entry rev.1 so I didn't follow that path, but I seem to recall them offering it up. Perhaps the TSA recognized this as a weekens and that is why they pulled the plug and now required trusted travelers to go through the entire process.
FWIW
DLM
1. Old fashoned identity theft.
2. Social engineering to get the trusted travler to act as the mule.
We tend to think of these ask short-term/imeadiate reward criminal events. But there is a long game too and if you have bad intentions, any data collected over time can be an advantage.
(To drags this back to United...) I think UA/CO (along with AA) was one of the first airlines to test the PreCheck process with their frequient flyers. They basically vouched for thier FF. I was in Global Entry rev.1 so I didn't follow that path, but I seem to recall them offering it up. Perhaps the TSA recognized this as a weekens and that is why they pulled the plug and now required trusted travelers to go through the entire process.
FWIW
DLM
The Forbes article really gets to heart of the matter, and shows how the Chinese hack was a very serious issue. I've called to have the number changed on the Chase card I had linked to my UA account (I'm not flying UA much at all anymore anyways). I hate the idea of removing the trusted traveler number from my UA account, and honestly I think that horse has already left the barn. This is a pretty basic violation of trust. I trusted UA to protect my personal information, they have failed to do so on a massive scale, and yet they haven't even acknowledged it to me. When Target and Home Depot were hacked, they immediately notified customers, and even offered identity theft protection for free to customers who had shopped there, and the extent of the data that was stolen didn't come anywhere near to the level of what United has exposed. Think about it, your name, your address, your CC #'s, your families names, your emergency contact person, your passport number, trusted traveler number, phone numbers...this is massive! And United's response? Crickets...
Last edited by transportbiz; Jul 31, 2015 at 7:59 am Reason: add more specific to thread topic
#27
Join Date: Apr 2000
Location: san antonio, texas
Programs: 3.2MM AA, 1.4MM UA,StwdLftPlt
Posts: 1,586
The Forbes article really gets to heart of the matter, and shows how the Chinese hack was a very serious issue. I've called to have the number changed on the Chase card I had linked to my UA account (I'm not flying UA much at all anymore anyways). I hate the idea of removing the trusted traveler number from my UA account, and honestly I think that horse has already left the barn. This is a pretty basic violation of trust. I trusted UA to protect my personal information, they have failed to do so on a massive scale, and yet they haven't even acknowledged it to me. When Target and Home Depot were hacked, they immediately notified customers, and even offered identity theft protection for free to customers who had shopped there, and the extent of the data that was stolen didn't come anywhere near to the level of what United has exposed. Think about it, your name, your address, your CC #'s, your families names, your emergency contact person, your passport number, trusted traveler number, phone numbers...this is massive! And United's response? Crickets...
As the previous poster observes, the extent of personal information potentially compromised greatly exceeds two of the more notorious recent hacks-Target and Homedepot.
#28
Join Date: May 2009
Location: EWR
Programs: UA .5M, Vistana 1-Star owner
Posts: 992
I find United's lack of public commentary on this matter deeply disturbing. Unfortunately, it is also completely consistent with their corporate approach to communications.
As the previous poster observes, the extent of personal information potentially compromised greatly exceeds two of the more notorious recent hacks-Target and Homedepot.
As the previous poster observes, the extent of personal information potentially compromised greatly exceeds two of the more notorious recent hacks-Target and Homedepot.
Encourage all of your media friends to write about this story since the lack of public knowledge or media attention means UA can keep its silence & have us face all the harm alone. The gravity of the hack & its scale of personal info is far in excess of the famous ones which were merely POS grabs, not one that translates into so many areas of life as airlines do.
Just another chance you'll love is apparently getting all your personal info hacked then vociferously denying that any such happened just because we can't get the proof from inside UA. Someone needs to be whistleblower.
#29
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,850
The Forbes article just mentions " manifests -- which include information on flights’ passengers, origins and destinations ."
#30
FlyerTalk Evangelist, Ambassador: World of Hyatt
Join Date: Jul 2001
Location: NJ
Programs: Hyatt Globalist, Fairmont Lifetime Plat, UA Silver, dirt elsewhere
Posts: 46,919
Which definitely explains why I suddenly started getting spam with my name appearing exactly as it does on my boarding pass - which is my first name and middle initial all together as one name.