Over 280 KrisFlyer members' personal details disclosed due to software bug affecting SIA's website

A man walks past a Singapore Airlines signage at Changi Airport in Singapore

After a software bug affected Singapore Airlines' (SIA) website on Friday, January 4 over 280 KrisFlyer members' personal data may have been seen by other customers.

As per an SIA spokesperson, the authorities are aware of "a number of cases in which a customer logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer."

Reports stated that the unprotected details may have included names, e-mail addressed, travel history, account numbers, membership tire status, KrisFlyer miles and rewards. The authority also said that in seven cases they found that passport details of the members were also disclosed due to the software bug.

In addition, the spokesperson said that the personal details were leaked when two members log in at the same time to their KrisFlyer accounts and access transactions displaying their membership information, while also being assigned the same server by the system.

A Facebook user, Tricia Leo said in a post on Saturday, on January 5 that when she logged into her KrisFlyer page, she could see the details of another person on her account.

She wrote on the post that "I tried a new login and I could see his entire history, upcoming trips, miles etc."

As per her post when she contacted SIA about the issue, the authority asked her to "log off for 24 hrs. as they were upgrading their system," and the officer "didn't even bother with the offer of a report of what happened till I asked."

"If organisations that demand our personal data don't guard our information properly, then they need to be called out on it," she said.

Later, Tricia was contacted by the authorities and told that it's a software bug and a few people were affected. She also came to know that her account was not affected or compromised.

However, SIA said in a statement that they did not change the accounts of the members and their credit card details were also safe.

"We have established that this was a one-off software bug and was not the result of an external party's breach of our systems or members' accounts," they continued.

"The issue has been resolved and we will carry out a detailed review to ensure this will not happen again," said SIA.

It should be noted that as per the authority the software bug affected the system after the changes were made in SIA's website homepage on Friday and the breach took place between 2 am and 12.15 pm.

While conveying the apologies, SIA said the protection of the customers' personal data is of utmost importance to them and "we sincerely regret the incident."

However, they are now following up directly with affected KrisFlyer members and has informed the Personal Data Protection Commission.