The Data Breaches Continue

Another Day – Another Breach

This time it’s being reported that SITA, which is a company owned by the airline industry, is at the centre of a data security incident.  SITA say it is to with their Passenger Service System (PSS) and other reports suggest it is #LoyaltyFraud at some Star Alliance Carriers.  British Airways, not part of Star, has written to it FFP members to tell them to change their passwords.

SITA is one of those companies most people outside the airline industry have never heard off.  But, they are integral to how airlines/airports work.  I’m not going to go in to all those details, but a PSS and a network/telecoms provider really is at the heart of a lot of data transfer.  It must be serious if BA is telling you to change your password!

Should I change my Loyalty Password?

It’s probably a very good thing to do that – even if you are a not a Star Alliance member.  However, it is also a good practice to get in too on a regular basis.  What happens when this data gets stolen is something called “credential stuffing”.  In short, they take the passwords that have been stolen and try them everywhere.  So, if you use the same passwords elsewhere, then you could find yourself with a loyalty account that has nothing in it.

Password Managers are a good idea

There are numerous of these out in the marketplace.  You set up one master password, and the software does the remembering for you.  They’ll even set up things like Two Factor Authentication as well as suggesting different/complex passwords for you.  I use LastPass which is one service.  It also looks on the dark web to see if your email address is being sold and likely to become a victim of credential stuffing.

What should Companies do to stop these breaches?

Now, there’s steps we can all do (a couple listed earlier) to help keep our accounts secure.  But, what about the companies holding this data?  What should they be doing?  This is where it gets interesting.  There are companies out there, like Accertify which is part of American Express that have products to help companies in this area.  For example, they (and others) can detect when an account looks like it has been compromised.

The key, however, is to be systematically aware.  Every part of your data chain is an area that can be breached.

If you think about it, whenever you complete an online form, you are entering data in to a company’s database.  And that data can be malicious.

How all of that works is beyond my technical skills and expertise.  Therefore, I leave that to the experts that cover this area.  Drop me a line if you want to connect with the likes of Mark Dawes or Ben Laurie at Accertify.  Or the likes of Forter, Riskified or other companies that are operating in this area.  I’ll happily point you in the right direction!

More links to the SITA Incident