SINGAPORE: More than 280 KrisFlyer members had their account details and travel history disclosed to other customers due to a software bug, Singapore Airlines told Channel NewsAsia on Saturday (Jan 5). In a handful of cases, their passport numbers may have been revealed.
The bug was caused by a change to the Singapore Airlines website's homepage the day before.
According to SIA, the incident occurred between 2am and 12.15pm on Friday.
"We have been made aware of a number of cases in which a customer logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer," an SIA spokesperson told Channel NewsAsia.
SIA said there were 285 such cases in total. Of these, 278 may have seen another customer's passenger's name, email address, account number, membership tier status, total KrisFlyer miles, recent miles transactions, upcoming flights and KrisFlyer rewards.
In the remaining seven cases, the passenger's passport details may have been disclosed as well.
These details would have been exposed if two members had been logged in to their KrisFlyer accounts and were accessing transactions displaying member info at the same time. They also had to be assigned the same server by the system, SIA said.
It added that the issue has since been resolved.
The incident came to light after a KrisFlyer member, Tricia Leo, took to Facebook to express concern about a security breach on Saturday.
"I logged into my KrisFlyer page and was able to see someone else's email on my profile page," she said in a Facebook post. "I tried a new login and I could see his entire history, upcoming trips, miles ..."
When contacted by Channel NewsAsia, Ms Leo said that she was concerned her data may have been compromised as well.
"I was shocked ... I became anxious because it was possible that someone else could also have access to my data," she said.
She added that she reached out to Singapore Airlines and was told to "log off for 24 hours as they were upgrading their system".
"ONE-OFF SOFTWARE BUG"
When asked about Ms Leo's account, SIA said it was unable to comment on individual cases because of customer confidentiality.
It added that the incident was due to a "one-off software bug" and that it was not the result of an external party’s breach of the systems or members’ accounts.
The airline said there were no changes made to any members' accounts and no credit card details were disclosed.
Singapore Airlines said it was following up directly with the affected customers.
Ms Leo added that the airlines had reached out to her on Sunday - two days after she had initially contacted them - to explain the issue. She has also been informed that her data was not compromised.
"We have also voluntarily informed the Personal Data Protection Commission of Singapore," the airline added.
"The protection of our customers’ personal data is of utmost importance to SIA, and we sincerely regret the incident. Immediate action is being taken to ensure this does not happen again."