My wife came back from giving a conference speech in Las Vegas in December with the weirdest story: when she fired up the United check-in mobile site, she found herself looking at someone else's flight details, along with cellular numbers, home address, passport details, and buttons that would let her request multi-thousand-dollar upgrades for strangers. Every time she hit reload, she got someone else's private information.
She contacted United over email and was advised to send screen-shots in via a form that rejected them because they were over 1MB (she didn't have any tools on her phone to reduce them). She emailed them twice more asking for an alternative means of sending in the screenshots and never heard back.
Last week, I phoned Kevin Johnston, United's Head of Press, Europe, Middle East, Africa and India, to ask him about this, and he stonewalled me, refusing to say much beyond the bland, meaningless non-comment of: "The security of our customers’ travel information is very important to us."
Johnston confirmed that they had experienced a bug with their app that leaked sensitive personal information to random customers. He wouldn't when the bug started, or how many people experienced it, though he said that 20 customers reported it, and it was fixed on December 17. He would not answer these questions:
* Does United know how many customers' personal details were leaked?
* Does United know which customers' data was leaked?
* Does United know who they leaked other customers' information to?
* Has United taken any steps to notify customers whose sensitive information was leaked?
Based on his consistent "no comment" and unwillingness to elaborate on these questions despite multiple tries, I came away with the strong impression that the answer to all these questions is "no." That seems a reasonable inference — though Johnston wouldn't comment on whether or not he agreed that this was a reasonable inference. (If you have been notified by United about this breach, I'd love to hear from you!)
Johnstone denied that my wife had sent United her screenshots, and also denied that passport information was available, and that customers were able to charge upgrades to other customers. My wife has shown me the sent email in her Gmail account confirming that she did contact United on three occassions (Johnstone refused to comment on this). She also affirms that she definitely saw passport details, and went through the steps to upgrade a stranger, but stopped short of clicking the "confirm" button.
United is legally obliged to notify customers affected by data breaches. In 47 states and throughout the EU, customers are legally entitled to speedy notification of breaches.
Did you experience this bug? Did you hear from United about your data being leaked?
Mistakes happen, and there are good ways and bad ways of dealing with them. Burying them and refusing to discuss them is neither a responsible, nor a legal way of responding to this kind of breach.
-Cory Doctorow