Lawyers involved after Wandera cites airline as one of 16 companies hit by CardCrypt
12/12/2015: EasyJet’s lawyers are challenging claims that the airline has leaked customers’ credit card details.
Security firm Wandera said it unearthed a security vulnerability dubbed CreditCrypt this week, saying 16 companies including EasyJet, AirAsia, Aer Lingus, Air Canada and San Diego Zoo fell foul of it, leading to them revealing customer credit card details.
Mark Ramsden, corporate affairs manager at easyJet, told IT Pro: “The first thing to say is that we have involved our lawyers who have written to Wandera to challenge their claims.
“Our customers are always our priority and as you would expect easyJet takes the security of their data extremely seriously. We use the latest technology alongside regular audits to test our systems to ensure our customers’ data remains protected. If we are ever made aware of an issue we investigate it thoroughly and act on it immediately.”
He added that passenger data is always transmitted using HTTPS encryption, after Wandera speculated that a failure to use this led to the data allegedly being exposed.
Meanwhile, no easyJet customers have reported payment security issues resulting from their use of the easyJet app, Ramsden said, before adding: “Our security experts have contacted Wandera and they are yet to provide us with sufficient information to validate their claims.
“We still don’t know very much about what they may or may not have found – for instance we don’t even know when they claim this happened and therefore there is no support for their claim that this is ongoing (“is being transmitted unencrypted”).”
10/12/2015: Airlines including EasyJet ‘exposed credit card details’
Sixteen companies including EasyJet, AirAsia, Aer Lingus, Air Canada and San Diego Zoo have revealed customer credit card details after falling foul of a vulnerability one security firm has dubbed CreditCrypt.
This is according to security firm Wandera, which uncovered the security hole and said the unencrypted card details of customers were sent via smartphone apps and mobile websites, with the possibility of the data being intercepted as they were transmitted to the company servers for payment.
The problems occurred both when customers purchased tickets to attractions or flights, or if they paid for an upgrade to a flight, meaning up to 500,000 people may have been affected by the flaw.
The data sent via an unencrypted connection includes sensitive information that could be used to steal money and identities, Wandera said, including complete credit card details, CVV security codes, customer names, full addresses, transaction amounts and contact details, although the information varies according to which provider the customer was using.
For example, passport details may also have been exposed for airline customers, while only card information would have been put at risk for those ordering tickets for San Diego Zoo or other attractions.
Wandera said the data may have been exposed because the companies were not using the https secure protocol to send the confidential information to the retailer or airline’s servers.
“We believe there are two likely reasons why HTTPS has not been used, everywhere at all times,” said Eldar Tuvey, CEO of Wandera.
“It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”
However, it’s not yet clear whether the data has been used maliciously or was intercepted at all. All companies exposing themselves to this flaw have been contacted by Wandera, but have not yet commented on the issue.
“The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes,” finished Tuvey. “With lots of people booking journeys to go home for the Christmas holidays, it is worrying how much sensitive data could be put at risk.”