Singapore Airlines’ software glitch exposed customer data

A software bug that emerged after a change was made to Singapore Airlines’ website had exposed the personal data of more than 280 members of the carrier’s Krisflyer frequent flyer programme.

Describing the bug as a one-off glitch, Singapore Airlines said the incident took place on 4 January 2019, when affected users who were assigned the same server were able to view the personal information of other Krisflyer members.

This included passenger names, email addresses and recent flights, as well as passport details in some cases. Member accounts remain unchanged, and no credit card information had been compromised, according to media reports.

Singapore Airlines has voluntarily reported the incident to the Personal Data Protection Commission (PDPC), Singapore’s data protection watchdog, and will follow up with affected customers. It said it has also taken action to prevent the occurrence of similar incidents.

Nabil Hannan, managing principal of software integrity group at Synopsys, said the incident could have occurred in cases where the authentication and authorisation schemes in an application are not designed well.

“In particular, when building the application, it is most likely that there were some basic flaws in the design of how authentication is performed to determine who can access what data,” Hannan said, adding that changes made in the application could have resulted in a “horizontal privilege escalation” situation that shows one customer a different customer’s private information.

Hannan noted that these types of bugs can be easily avoided, but doing so will require various security related checkpoints throughout the software development lifecycle.

“Typical QA [quality assurance] testing just isn’t enough to catch these types of issues since we know that most QA testers usually test the ‘happy path’, and in some cases at their discretion perform edge/boundary test cases,” he said.

The latest blunder underscores the growing number of data breaches in the Asia-Pacific region that can be traced to software bugs, system misconfigurations or the work of cyber criminals.

A bug recently found in the Google+ platform gave third-party developers access to 500,000 accounts, which included users’ full names, birth dates, genders, profile photos, occupations and even places where they lived.

In November 2017, Australia’s national broadcaster Australian Broadcasting Corporation (ABC) had inadvertently exposed sensitive data, including information on production services and stock files held at Amazon’s S3 cloud storage service.

The blunder was reported on 16 November 2017 by cyber security expert Kromtech, which attributed the data leak to at least two misconfigured S3 buckets that could be accessed publicly.

The leaked data also comprised database backups, along with email addresses, login information and hashed passwords used by ABC Commercial users, including members of the media, to access ABC’s content.

Both Singapore and Australia have enacted strict personal data protection rules. In Singapore, organisations that flout these rules under the Personal Data Protection Act can face financial penalties of up to S$1m (US$736,900).

The PDPC is also looking introduce a new mandatory data breach notification regime, following a similar move by Australia in 2018. According to NordVPN, a virtual private network service provider, more than a billion people had their personal data compromised in 2018.