Management / EasyJet, Aer Lingus, and more implicated in data breach revealing half a million customer details

EasyJet, Aer Lingus, and more implicated in data breach revealing half a million customer details

Customers of 16 companies may have been affected by a flaw that sent their sensitive information over the web unencrypted, including payment card details.

Thinkstock woman at airport

A potential 500,000 customers of 16 companies face the prospect that their details have been exposed, with firms failing to encrypt information including names, payment card details and in some cases passport numbers.

Information sent by customers using smartphone apps or mobile websites were sent to company servers in unencrypted form, leaving consumers open to potential incidents of theft or fraud according to security firm Wandera.

Data was leaked as consumers made payments for attraction tickets, flights or flight upgrades.

The information leaked varies between provider, but could include customer names, addresses and contact details, complete card details and CVV codes, transaction amounts and in some cases passport numbers.

Airlines easyJet, Aer Lingus, Air Canada and Air Asia were all implicated, as well as transport services Chiltern Railways, KV Cars UK, Oui Car France and American Taxi.

Ticketing providers to popular tourist attractions such as Canada’s CN Tower and San Diego Zoo were also affected, along with retailers in the UK, US and France and Singapore event ticket provider Sistic.

The companies affected failed to use the secure HTTPS protocol to send confidential information to servers, although researchers say it is unclear if the information had been previously intercepted or maliciously used already.

Eldar Tuvey, Wandera’s CEO, said it was possible HTTPS had not been used due to code flaws that could have stemmed from reliance on third-party services or libraries.

“It’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data,” he said.

“The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes.

“With lots of people booking journeys to go home for the Christmas holidays, it is worrying how much sensitive data could be put at risk.”

Wandera said it has contacted the affected firms and has so far received assurances from easyJet that the issue is no longer ongoing.

Full details of CardCrypt are available from Wandera’s blog.


TEISS banner