United website breach let fliers see each others’ private data

I reported on the United Airlines MileagePlus incident earlier this month, but now Cory Doctorow is reporting yet another breach involving United Airlines:

My wife came back from giving a conference speech in Las Vegas in December with the weirdest story: when she fired up the United check-in mobile site, she found herself looking at someone else’s flight details, along with cellular numbers, home address, passport details, and buttons that would let her request multi-thousand-dollar upgrades for strangers. Every time she hit reload, she got someone else’s private information.

[…]

Johnston confirmed that they had experienced a bug with their app that leaked sensitive personal information to random customers. He wouldn’t when (sic) the bug started, or how many people experienced it, though he said that 20 customers reported it, and it was fixed on December 17. He would not answer these questions:

Read more on BoingBoing. From the description of this incident, it sounds unrelated to the previously reported breach.

Companies routinely screw up breach disclosure and notification. When they screw up and the breach involves a journalist with a huge following, that’s really, um, …. a bad choice?

 

About the author: Dissent

Comments are closed.