I’m sure that United Airlines would like the news about MileagePlus accounts being compromised to remain relatively quiet. There’s very little in the way of good publicity which typically comes from such stories. So when a reasonably well known tech journalist saw his account caught up in the mess and then publishes his tales of woe online, well, that’s bad news all around.
Sending mixed messages to affected customers is probably not so good either. In the emails sent to many affected passengers United has stated that the breach is a result of data compromised by a third-party vendor. In this guy’s case the rep he spoke to suggested that the account was compromised because he logged in using an unsecured connection on a public WiFi hotspot:
She also asked if I’d been traveling lately (duh) and if I’d used a hotel Wi-Fi system or any free Wi-Fi while away. I had, as many of you probably have. That’s where my info probably got snatched, she said. Don’t do that anymore, she (ahem) suggested. Use a cell hotspot. Don’t be stupid.
And, of course, there’s really no excuse for United to allow unsecured logins to the site anyways.
The story continues on to talk about catching the bad guys when they attempt to use the fraudulently booked tickets. Alas, in most cases these tickets are booked for a passenger who has no idea what’s going on. Usually the hacker sells the seat to an unsuspecting victim and pockets the money immediately. If the fraud is discovered and the ticket revoked the passenger is out the cash but likely had nothing to do with the theft, other than buying the stolen goods. And usually they don’t know that the ticket was obtained illicitly. It is ugly for everyone except the thief.
Most distressing to me are the number of reports coming out that affected customers are being passed around amongst the United call centers with many agents unable to resolve the issue or unaware of who the MileagePlus members need to speak with to get things cleared up. Obviously this isn’t the sort of thing where any frontline agent should be able to reset the account credentials but at the same time the company needs a well defined group who can handle such requests and everyone who answers customer calls should know who that group is and how to direct customers to them. Many stories suggest that isn’t happening very well at all.
Read more at Yahoo Travel: 4 Lessons from a Hack: My Airline Miles Were Stolen
Related Posts:
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.
I’m thinking about becoming a hoarder for my new years resolution so a box would be a good start.
My account was hacked this week, and UA Corporate Security called me before I even noticed. They put the miles back in immediately (100,000 used for gift cards), but then just told me to make sure to reset the passwords myself. It certainly didn’t seem like they had a process to do so, and even so, they allow a 4 digit PIN so it really isn’t that secure. Certainly seems like they need to do a bigger security audit themselves. (That said, the corporate security person was great and made it really painless. I’m sure that’s not the norm, but I appreciated it.)
Unfortunately, UA call center staff aren’t equipped to address even run-of-the-mill travel stuff efficiently. They should contract out this interface to well-paid, educated individuals and empower them.
> Use a cell hotspot.
For example, at a Marriott where they block cell hot spots?
United agents making up stuff as they go along? United blaming the customer? United deflecting corporate responsibility? This is Standard Operating Procedure at the new United. This should not be a surprise to anyone.