Air New Zealand has suffered a data breach after two of its staff accounts were phished.
The carrier advised customers that while Airpoints loyalty accounts were not accessed, some information relating to membership profiles may have been visible on internal documents.
It sent out an email this afternoon advising customers of the breach.
The email also stated that credit card details and Airpoints passwords were not affected.
The breach comes on the back of UK airline carrier British Airways being hit with a US$230 million fine by a privacy watchdog for failing to protect its customers' data in 2018.
Data compromised in that hack included login details, payment information, travel booking information, and addresses and affected anyone who booked a flight through the British Airways website over a two-week period.
In total, that came up to approximately 380,000 accounts.
The fine sets a tough precedent, making airline carriers realise they are targets for cyber-attacker for the customer information they hold, and that authorities expect them to take full responsibility for securing that data.
Air New Zealand loyalty and customer direct regional general manager Jeremy O'Brien says the company has secured the two affected staff accounts and are conducting a thorough investigation on the event.
“We're also focused on further hardening our security processes to help prevent any similar incidents from happening in the future.
He encouraged customers to be on the lookout for phishing emails over the next few months, reminding them that they will never ask for credit card details or login information in an email.
The company also included the following tips on how to spot phishing emails:
Phishing scams can be very sophisticated.
If your personal information was exposed in this recent incident, it could possibly be used to create authentic-looking hoax emails.
They could include your name and your Airpoints number, for example.
Please be cautious of emails that:
- Appear to be from Air New Zealand, but are not from one of our mailing addresses which usually end in airnz.co.nz, airnewzealand.co.nz or grabaseat.co.nz
- Make urgent appeals for fast action
- Ask you to make an online payment
- Include attachments that may contain viruses
- Contain links to sites that are malicious or unsavoury
If the email seems to be from someone you trust but is asking you to make an unusual financial transaction, call or text the real sender to check.
If you think you have been sent a phishing email, delete it immediately.
For more information on phishing emails visit CERT NZ, the New Zealand Government's cybersecurity advisory service, or Netsafe NZ.