United Airlines is notifying some members of its MileagePlus program of a data security breach this week. According to the notice being sent out the attacks started on 24 December 2014 and involved “usernames and passwords obtained from a third-party source.” The email alert continues:
[The unauthorized party] were able to obtain your MileagePlus number, account balance and Premier status, but there is no indication that any other information was obtained. However, there is a possibility that other details in your account profile could be viewed, such as mailing address. Please note that if your profile includes a credit card number, all but the last four digits are masked.
Affected MileagePlus members have had access to their accounts suspended pending contact with a call-center agent who will verify certain account data and then reset the security credentials before allowing access again.
United has not named the “third-party source” of the compromised credentials. The company does state that “United was not the only company where attempts were made.”
It seems interesting to me to note that MileagePlus has announced two significant new partnerships recently: MileagePlusX and MileagePlus Dining. Both allow access to MileagePlus services using the same credentials as for accessing a MileagePlus account directly. But that access is managed through what appears to be oAuth-based authentication where the credentials are managed by United, not the partners. And at least one member with a compromised account reports that their password and PIN for MileagePlus is unique, casting some doubt on the claim that common account credentials is the issue.
Lots of questions still to be answered, but there is one thing which seems quite clear: MileagePlus data is being attacked. And that’s not good for anyone.
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.
I have not received a message, yet. I have not signed up with either of those partnerships.
I’ve signed up with all those partners and haven’t had my account locked yet, I changed my PIN/password just in case though.
Why do you think this occurred on 12/24? I was tod by united on 12/21 about this per my flyer talk post.
I’m using the date UA noted in the one version of the email notice I’ve seen. Absolutely possible it has been going on longer.
And I’ve edited your comment to adjust the name, but it only shows what you type in.
Please remove my name from the prior post. I did not lease either my actual name or email address you be made public.
i got the notice, and what’s even more frustrating is that when I called the number they told me to call, nobody had any idea what was going on. They kept transferring me to different departments and supervisors, each of whom asked me to repeat the same information, then said “oh, i need to transfer you to somebody else to handle this”, only then to have the whole process begin again. After about a half hour on hold, I gave up and hung up. What’s more, most of these agents appeared to be from overseas, and didn’t have great language skills. Not a good way to handle a crisis!
Yeah…it seems that UA dropped the ball on the customer-facing aspect of this issue in many ways. Dealing with a data breach is neither fun nor easy. But I think recent history shows that having a consistent, convenient and coherent customer-facing message and support infrastructure is key to getting through the troubles successfully. At least from a PR perspective. And UA isn’t doing so well on that front.