[German]I’ve been notified a few hours ago by a German blog reader about a data breach at Lufthansa’s frequent traveller bonus program Miles & More. Customers has able access to foreign account data after login.
German blog reader Daniela V. just sent me a mail (thanks for that), in which she pointed out a fat lump in the Miles&More program. She wrote me about it:
there was a huge problem with Miles&More.
I wanted to look something up in my account overview and had to enter my password (I always stay logged in temporarily), but it was something supposed to be wrong.
So I logged out completely and logged in again. However, I did not end up with my user data in my account anymore, but with someone completely strangers.
I repeated the whole thing 6 times and always ended up with another M&M participant. I made screenshots of 6 of the unwanted “foreign accesses”.
She has send me those screenshots of unwanted foreign account data. Here is an screenshot, where I’ve removed personal data.
(Miles&More account 1, Click to zoom)
Here is the screenshot of a second account, whose data was displayed after a login with the access data of Daniela.
(Miles&More account 2, Click to zoom)
Daniela V. tried this several times and always came across a record of a foreign account, but not her own data. She wrote me that she had asked in the Facebook group of Miles & More and that she had received confirmations from other people concerned. She wrote:
In the meantime, I asked the M&M Facebook group if anyone had the same question. There were now some feedback with the same problem.
Shortly afterwards, the login to the portal was no longer possible.
I wonder, of course, what went wrong there and whether someone can’t also do nonsense with such data or whether it is a case for the GDPR ?
Concerning the question ‘what went wrong’ I suspect that an indexing of a database might have gone into the woods. Is this a case for the GDPR ?
I think, it’s a GDPR breach, because it was possible for users to access the personal data of other accounts using their access data – unless it was test data in the database (which I don’t believe).
More findings and it’s not over
In the aftermath Daniela wrote me that the login was locked, then it would have worked again for a short time. The first login then showed my own data. After another login attempt, foreign data was shown again. Daniela writes rightly:
In the meantime, by the way, the login went briefly again. At the second attempt I was actually in my account. For clarification I tried it a third time and also there I was wrong like the first time.
I think it’s very questionable, especially from an IT point of view.
I hope that there will be some consequences, you could have done who knows what with the miles and I don’t know how far that would go with regard to data (connected credit card),
Something’s gone wrong. A lot of people are probably affected – some may not have noticed it because they didn’t log in. During a quick search on the web I came across this thread at the frequent flyer club. There, too, people concerned discussed the same thing – one user had access to the data of another Lufthansa customer from Poland. Since about 4:00 p.m. German time, the login at the account seems to be blocked. I think the recommendation to immediately check everything for changes and to change the access data as soon as the login works again can only be underlined. Because theoretically someone could have changed the data (PIN, e-mail account etc.) of a foreign account. Let’s see what else can be said.
Addendum: A German blog reader send me a statement, she received as a customer from Lufthansa Miles&More:
I received also a statements from Mile & More GmbH Press department, which I’ve added to the German article. In brief:
- A total of 9,885 Miles & More accounts were accessed and displayed on the website during this period. The data from these accounts were partly displayed to the account holder and partly to other participants logged in at the same time.
- 4,100 participants actively logged in during this period, in some cases several times. The additional accounts were those of permanently logged in participants. Miles & More informed the maximum 9,885 participants affected about the incident.
- Specifically, the following data from other customers was potentially viewable: Name, service card number, date of birth, address, email, telephone number, user name, mileage, transaction data, travel preferences (departure airport and automatic check-in), consents to advertising and preferred language settings.
- The data of bank accounts and credit cards could not be viewed. Only the last 4 digits were displayed for credit cards. This is completely unusable for card misuse. The same applies to the account numbers, where also only the last 4 IBAN digits were visible.
They also wrote: A separate password/PIN is also required for potential changes. Accordingly, no access to bank accounts or credit cards was possible. The problem occurred only on December 9th between 16:00 and 16:40 p.m. (German time).
At 4:40 p.m. the login function was deactivated and the malfunction was thus switched off. This meant that access to participant accounts was no longer possible. Miles & More participants who were not logged on to the Miles & More website during the period are not affected by the incident. This also applies to other systems outside the Miles & More website (e.g. Miles & More App or LH.com).
Miles & More IT department is working on an error analysis and carries out extensive tests. Miles & More ask our participants for patience. The login function is monitored intensively on an ongoing basis and is activated in stages after the error has been corrected. There are currently no signs of a hacker attack.