WineCountryUA

Topic Check

As this is the UA Forum, posts should related to UA, ones' experience flying with UA or using the UA MP program. Other topics, such as the nature of journalism or security / account breaks with other corporations / organizations, or the broad geopolitical hacking issues are not on topic -- there are other forums on FT for all of those.

WineCountryUA
UA coModerator

blueman2

Isn't United (or ANY company) legally obligated to inform people who's data might have been compromised by an attack? I was never notified. Still have not been.

transportbiz

Yes it is, but being compelled to do something by the law, doesn't often move United to do so.

koc1723

I just had fraud activity on my credit card in the past 5 days. I logged into my credit card account and found a flight from UA booked. (evidently I was going to the DR in 10 days!)
I called the credit card and they immediately closed the account then sent me a new card.
I called UA to get details on the ticket and I have to say my experience with customer service was concerning.
This credit card was stored in my account, but I asked if they could tell if the ticket was booked with the card stored in my account or if it was done separately (ie my card was compromised outside of UA). I feel this is a large question of fact since if it is former then UA has bigger issues and I need to do something with my account (thank fully I have no miles in my account so they really can't do much damage to my account).
Essentially the CSR I spoke with either didnt understand my point or didn't care too.
I have already changed all my pins and passwords (which I hate that I have 2 for UA), but I still feel they should be able to answer this simple question for internal investigations.

cfischer

United? I doubt they care. Honestly, I check my CCs online very regularly and don't rely and companies like UA to tell me when they had yet another problem with their web security.
Regarding UA ... I don't store any CC details on their site ... apparently for good reasons

TomMM

For this type of data, disclosure requirements are defined by State Law not Federal. And each state that does have disclosure requirements also has their own definition of a breach and what data elements must be affected in order to trip the notification requirement. For example, some states require that data be in electronic form for the notification requirement to kick in.

Kmxu

I really like the following quotes from Forbes article: http://www.forbes.com/sites/danielre...rtner=yahootix

Richard Chen

With all of UA's massive secrecy, a Snowden-like leak would do well to service the whole world better by putting all their problems out in the open where public accountability will get them to make the changes they'll not only refuse to do but reply defiantly, perhaps by sending lawyers instead of a solution.

tuolumne

Jeff Smisek parody regarding his latest IT meltdown.

dmunz

Every attack has to start somewhere. If you were looking to get a person (or item) on an aircraft one method would be to target someone with a known lower threat profile (and yes, PreCheck IS profiling...) This could manifest itself in two ways:

1. Old fashoned identity theft.
2. Social engineering to get the trusted travler to act as the mule.

We tend to think of these ask short-term/imeadiate reward criminal events. But there is a long game too and if you have bad intentions, any data collected over time can be an advantage.

(To drags this back to United...) I think UA/CO (along with AA) was one of the first airlines to test the PreCheck process with their frequient flyers. They basically vouched for thier FF. I was in Global Entry rev.1 so I didn't follow that path, but I seem to recall them offering it up. Perhaps the TSA recognized this as a weekens and that is why they pulled the plug and now required trusted travelers to go through the entire process.

FWIW
DLM

transportbiz

Interesting theory but, UA was actually the last to get its precheck process in order. DL and AA were using it for months ahead of UA. I'd used it at DTW on a DL flight more than a year before UA offered it. You can apply for precheck, and get it more frequently, but the FF approach is still in effect, as well as "random" selection for precheck, hence all the old folks in precheck that have no idea what to do.

The Forbes article really gets to heart of the matter, and shows how the Chinese hack was a very serious issue. I've called to have the number changed on the Chase card I had linked to my UA account (I'm not flying UA much at all anymore anyways). I hate the idea of removing the trusted traveler number from my UA account, and honestly I think that horse has already left the barn. This is a pretty basic violation of trust. I trusted UA to protect my personal information, they have failed to do so on a massive scale, and yet they haven't even acknowledged it to me. When Target and Home Depot were hacked, they immediately notified customers, and even offered identity theft protection for free to customers who had shopped there, and the extent of the data that was stolen didn't come anywhere near to the level of what United has exposed. Think about it, your name, your address, your CC #'s, your families names, your emergency contact person, your passport number, trusted traveler number, phone numbers...this is massive! And United's response? Crickets...

luckypierre

I find United's lack of public commentary on this matter deeply disturbing. Unfortunately, it is also completely consistent with their corporate approach to communications.

As the previous poster observes, the extent of personal information potentially compromised greatly exceeds two of the more notorious recent hacks-Target and Homedepot.

Richard Chen

+100

Encourage all of your media friends to write about this story since the lack of public knowledge or media attention means UA can keep its silence & have us face all the harm alone. The gravity of the hack & its scale of personal info is far in excess of the famous ones which were merely POS grabs, not one that translates into so many areas of life as airlines do.

Just another chance you'll love is apparently getting all your personal info hacked then vociferously denying that any such happened just because we can't get the proof from inside UA. Someone needs to be whistleblower.

WineCountryUA

What is your source of info that this level of info was hacked?

The Forbes article just mentions " manifests -- which include information on flights’ passengers, origins and destinations ."

Mary2e

Which definitely explains why I suddenly started getting spam with my name appearing exactly as it does on my boarding pass - which is my first name and middle initial all together as one name.