Two recent blog posts, and an article about a massive data breach at Wyndham Hotels and Resorts and Cunard Cruises prompted me to post about the topic. View from the Wing & Frequently Flying both posted about American Airlines lack of participation with AwardWallet. It’s frustrating not to be able to track your miles. I know, I love my miles too and I love to track them with one vendor. However, there is an inherient risk any time your provide your personal data over the internet and everyone should be aware of them.
Let’s look at the most recent major security breach to hit the news. On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint against Wyndham Worldwide Corporation and 3 of their subsidiaries. The complaint alleged that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud. The complaint alleges that Wyndham’s privacy policy misrepresented the security measures it used to safeguard personal information. The complaint also charges that Wyndham, after the first breach, failed to fix security vulnerabilities which the FTC claims resulted in two additional data security breach incidents in less than two years.
In the most recent data breach, just announced last week, Cunard Cruise lines was forced to shut down its online booking system after accidentally sending the personal information of more than 1,200 passengers to an undisclosed number of people who are registered users of the Cunard website. Members started posting a spreadsheet they had received from Cunard on chat room discussion boards and it contained the personal data of passengers – including passport numbers, names, dates of birth and other personally identifiable information.
American Airlines has every right to be worried about the transmission of secure data through third-party vendors. Major corporations like Wyndham and Linked In all are becoming victims of sophisticated (and probably some not-so-sophisticated) hackers. Last month, Russian hackers stole 6 million passwords from Linked In. In 2010, American Airlines itself was the victim of a data breach when a hard drive containing private employment records from the years 1960 to 1995 for over 79,000 employees went missing.
Airlines, hotels and most of all, consumers should demand security, not convenience. The question I would be asking isn’t why American doesn’t participate with AwardWallet, but what risks were present with AwardsWallet’s app that prompted American Airlines (and others) not to participate. How can you protect yourself?
- At a minimum, consumers should not use website that are not secure (look for the https in the web address) and when you’re providing your personal information – including passwords – be sure that you’re using a trusted source – I bet no one who checked into Wyndham hotels thought they’d be the victims of credit card fraud.
- If a site’s security certificate is out of date or expired, don’t use that site.
- Check out the vendor to see if they are PCI compliant – PCI is an international credit card standard meant to protect consumers personal credit card data
- Companies who host data (especially if credit cards and secure data is involved) shouldbe SAS-70 or SSAE 16 compliant. SAS-70 and SSAE 16 are auditing standards developed to assesses a service organization’s internal controls.
- Create very secure password – please don’t use Password123 – and be sure to reset your passwords frequently. In addition, don’t use the vendors name in your password – many of the LinkedIn passwords that were exposed contained the word “LinkedIn” or some variation. Hackers are smart enough to go try your password on say, Twitter and just replace “LinkedIn” with “Twitter” and next thing you know, your Twitter account is hacked too
- Don’t give out your password. Last week, when I had such trouble with Points.com, they asked me to provide my password to them via email. Don’t ever provide your password via email.