Singapore Airlines confirmed a data breach caused by a change to the airline’s website exposed travel and account details of around 280 KrisFlyer members.
The software glitch reported on ZDNet would show another KrisFlyer member’s details when logging into accounts on the website, which Singapore Airlines confirmed was caused after it updated its website on January 4.
On a Facebook post, Singapore-based customer and KrisFlyer member Tricia Leo wrote of her experience seeing someone else’s account information when she logged in to the website.
"I logged into my KrisFlyer page and was able to see someone else's email on my profile page," she said in a Facebook post. "I tried a new login and I could see his entire history, upcoming trips, miles ..." On the ZDNet report, she was quoted saying: "I saw that my miles were significant lower and I had a different Elite status than what was shown on screen, so I initially thought my account had been hacked.”
She added that she reached out to Singapore Airlines and was told to "log off for 24 hours as they were upgrading their system".
"We have established that this was a one-off software bug and was not the result of an external party's breach of our systems or members' accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved," the spokesperson said.
The airline also voluntarily informed Singapore’s Personal Data Protection Commission and contacted all affected customers. Under the country’s Personal Data Protection Act, companies found to breach the rules could be fined up to S$10,000 (US$7,325) per customer complaint or face a maximum penalty of S$1 million (US$732,532).