Alaska Airlines reports fraud to New Hampshire, but no residents affected
Technorati Tag: Security Breach
Date Reported:
8/5/08
Organization:
Alaska Air Group, Inc.*
*the holding company for Alaska Airlines and Horizon Air (Source: Investor Relations - Corporate Overview)
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"payment card information"
Breach Description:
"We recently became aware of a crime involving payment card information of some Alaska Airlines and Horizon Air customers. An employee working in our call reservation center who was responsible for processing customers' requests for changes to their reservations misused the payment card information provided by some customers to pay for reservation changes"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We recently became aware of a crime involving payment card information of some Alaska Airlines and Horizon Air customers.
An employee working in our Phoenix, Arizona reservation center who was responsible for processing customers' requests for changes to their reservations misused the payment card information provided by some customers to pay for reservation changes
Rather than processing the payment on behalf of Alaska Airlines or Horizon Air, this employee processed the change requests but diverted payments to personal accounts.
[Evan] How was this call center employee able to change payment routing details? This seems like too many privileges and a lack of segregation of duties. The same person that accepts payment information should not be the same person that has the ability to dictate where the payment goes. I suppose the employee could have compromised the system(s) and elevated his/her privilges, which is a whole nuther can 'o worms.
The employee has since been terminated and we are working with law enforcement to prosecute this individual.
We are not aware of any New Hampshire residents who may have been affected by this crime.
[Evan] This statement made me question why Alaska Airlines notified the New Hampshire Attorney General. Just to be safe, in case there was a New Hampshire resident affected that Alaska Airlines is not aware of? As far as I know, there is no obligation to notify the Attorney General is there was nobody affected from the state.
We regret that this happened.
We take our obligation to safeguard your personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself from possible fraud in connection with the payment card you used to pay for an Alaska Airlines of Horizon Air reservation change.
[Evan] My advice? Determine which card you used with Alaska Airlines and cancel the card with the bank. Get a new one, if you need it. Done deal.
We hope this information is useful to you.
If you would like to speak with us, please call us toll-free at , Monday through Friday, between 8 a.m. and 5:45 p.m. (Pacific Time).
Commentary:
This is a unique breach notification in the fact that it was sent to an attorney general that apparently does not have any affected constituents. It leads me to question the incident response procedures at Alaska Airlines.
The extent of this breach seems to be limited to the customers that made reservation changes through this fraudster (er, former employee), and the motivation was purely short-term monetary gain. Hopefully the former employee did not sell or distribute the information to others.
Past Breaches:
Unknown
Date Reported:8/5/08
Organization:
Alaska Air Group, Inc.*
*the holding company for Alaska Airlines and Horizon Air (Source: Investor Relations - Corporate Overview)
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"payment card information"
Breach Description:
"We recently became aware of a crime involving payment card information of some Alaska Airlines and Horizon Air customers. An employee working in our call reservation center who was responsible for processing customers' requests for changes to their reservations misused the payment card information provided by some customers to pay for reservation changes"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We recently became aware of a crime involving payment card information of some Alaska Airlines and Horizon Air customers.
An employee working in our Phoenix, Arizona reservation center who was responsible for processing customers' requests for changes to their reservations misused the payment card information provided by some customers to pay for reservation changes
Rather than processing the payment on behalf of Alaska Airlines or Horizon Air, this employee processed the change requests but diverted payments to personal accounts.
[Evan] How was this call center employee able to change payment routing details? This seems like too many privileges and a lack of segregation of duties. The same person that accepts payment information should not be the same person that has the ability to dictate where the payment goes. I suppose the employee could have compromised the system(s) and elevated his/her privilges, which is a whole nuther can 'o worms.
The employee has since been terminated and we are working with law enforcement to prosecute this individual.
We are not aware of any New Hampshire residents who may have been affected by this crime.
[Evan] This statement made me question why Alaska Airlines notified the New Hampshire Attorney General. Just to be safe, in case there was a New Hampshire resident affected that Alaska Airlines is not aware of? As far as I know, there is no obligation to notify the Attorney General is there was nobody affected from the state.
We regret that this happened.
We take our obligation to safeguard your personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself from possible fraud in connection with the payment card you used to pay for an Alaska Airlines of Horizon Air reservation change.
[Evan] My advice? Determine which card you used with Alaska Airlines and cancel the card with the bank. Get a new one, if you need it. Done deal.
We hope this information is useful to you.
If you would like to speak with us, please call us toll-free at , Monday through Friday, between 8 a.m. and 5:45 p.m. (Pacific Time).
Commentary:
This is a unique breach notification in the fact that it was sent to an attorney general that apparently does not have any affected constituents. It leads me to question the incident response procedures at Alaska Airlines.
The extent of this breach seems to be limited to the customers that made reservation changes through this fraudster (er, former employee), and the motivation was purely short-term monetary gain. Hopefully the former employee did not sell or distribute the information to others.
Past Breaches:
Unknown
Posts Atom 1.0
Comments