Singapore Airlines has announced that a software bug that surfaced during an upgrade to its official website on January 4th allowed frequent flyers to view personal information of other frequent flyers and exposed data of up to 285 flyers before the bug was fixed.
Last week, a Singapore Airlines customer, who is a member of the airline’s Krisflyer (frequent flyer) programme, toold ZDNet that after logging in to her Krisflyer account, she was able to view detailed account information of another passenger, including details about recent transactions, upcoming trips, the most recent trip, the associated email address, as well as the number of miles converted using credit card points.
After the customer contacted Singapore Airlines to report the issue, she was instructed to log out of her account and log back in after 24 hours as the airline was carrying out a system upgrade.
“Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing? It’s frustrating that we’re held hostage by these companies that demand our personal details, but don’t keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured,” she told ZDNet.
Bug exposed personal data of 285 flyers
When contacted by the news site, Singapore Airlines said that the information leak occurred due to a software bug that surfaced when the airline was carrying out changes to its official website on 4th January.
It added that before it was fixed, the bug resulted in the exposure of names, email addresses, account numbers, membership status, Krisflyer miles, recent miles transactions, upcoming flights, and Krisflyer rewards of 278 frequent flyers as well as the exposure of passport details of seven other flyers.
“We have established that this was a one-off software bug and was not the result of an external party’s breach of our systems or members’ accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved,” a Singapore Airlines’ spokesperson told ZDNet.
Bugs introduced during tech updates compromising user privacy
This isn’t the first time that software bugs introduced during technology upgrades have compromised personal information of millions of individuals who have entrusted the world’s largest companies with the safeguarding of their personal information.
Last month, Facebook announced that a software bug in its photos API exposed personal photos of up to 6.8 million users to up to 1,500 third-party apps, including photos that users uploaded to Facebook but chose not to share.
The apps that had access to photos of millions of users between September 13 and September 25 were authorised by Facebook to access the photos API and had also obtained prior approval from users to access photos that had been shared on their timeline.
However, thanks to the bug, developers of such third-party apps gained access not only photos that people shared on their timeline, but also to those shared on Marketplace or Facebook Stories and also to photos that people uploaded to Facebook but chose not to post.
In December, Google also announced that a freshly-introduced bug in a Google+ API exposed personal information of up to 52.5 million users to app developers and third parties. Information exposed by the bug included names, dates of birth, gender and email addresses and could be viewed by apps and third parties even when set to not-public.
Google revealed that the bug was introduced to its platform via a software update introduced in November and was fixed within a week of being discovered. Even though personal data of millions of users was exposed, there was no evidence that such data was accessed by any third party or misused by app developers.