I’m sure that United Airlines would like the news about MileagePlus accounts being compromised to remain relatively quiet. There’s very little in the way of good publicity which typically comes from such stories. So when a reasonably well known tech journalist saw his account caught up in the mess and then publishes his tales of woe online, well, that’s bad news all around.
Sending mixed messages to affected customers is probably not so good either. In the emails sent to many affected passengers United has stated that the breach is a result of data compromised by a third-party vendor. In this guy’s case the rep he spoke to suggested that the account was compromised because he logged in using an unsecured connection on a public WiFi hotspot:
She also asked if I’d been traveling lately (duh) and if I’d used a hotel Wi-Fi system or any free Wi-Fi while away. I had, as many of you probably have. That’s where my info probably got snatched, she said. Don’t do that anymore, she (ahem) suggested. Use a cell hotspot. Don’t be stupid.
And, of course, there’s really no excuse for United to allow unsecured logins to the site anyways.
The story continues on to talk about catching the bad guys when they attempt to use the fraudulently booked tickets. Alas, in most cases these tickets are booked for a passenger who has no idea what’s going on. Usually the hacker sells the seat to an unsuspecting victim and pockets the money immediately. If the fraud is discovered and the ticket revoked the passenger is out the cash but likely had nothing to do with the theft, other than buying the stolen goods. And usually they don’t know that the ticket was obtained illicitly. It is ugly for everyone except the thief.
Most distressing to me are the number of reports coming out that affected customers are being passed around amongst the United call centers with many agents unable to resolve the issue or unaware of who the MileagePlus members need to speak with to get things cleared up. Obviously this isn’t the sort of thing where any frontline agent should be able to reset the account credentials but at the same time the company needs a well defined group who can handle such requests and everyone who answers customer calls should know who that group is and how to direct customers to them. Many stories suggest that isn’t happening very well at all.
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.