Over the weekend, the Philippine Airlines informed Mabuhay Miles account holders about changing their passwords. Accelya, a service provider of PAL, informed them of a cybersecurity incident that affected several of Accelya's global airline customers, including PAL. The security incident does not affect PAL's internal IT system, as Accelya is just a third-party IT provider.
"...the Accelya cybersecurity incident impacted personal information of some of our Mabuhay Miles members which are limited to members' name, date of birth, nationality, gender, join date, tier level, and points balance," PAL said in the notice sent to account holders who could have been affected by the incident.
PAL also recommended that recipients of the notice change their Mabuhay Miles account passwords and gave an assurance that the incident did not affect PAL's internal IT systems.
The Manila Bulletin Technews contacted PAL about the incident but did not get any reply as of this posting. We asked how many Mabuhay Miles accounts were affected as Accelya is also the third-party IT provider of big airlines worldwide.
Upon receiving the information about the incident, I immediately informed cybersecurity professional John Patrick Lita. We discovered that the Accelya hacking was done by the ransomware group BlackCat/ALPHV. Upon further investigation, Mr. Lita found out that more details about the hack from the dark web are available. When I checked, there were screenshots, and a 49GB file was available for download, which we did not touch.
Redpacket Security, a website dedicated to cybersecurity, reported that there are "stuff from this company such a sensitive information about business clients emails, workers and contracts."
While PAL asked Mabuhay Miles account holders to change their password, many could not do it for different reasons, including forgotten security questions you need to answer to reset the password. This means cybercriminals could still access account holders' data until they change their passwords.
I asked Angel Redoble, First Vice President and Group CISO of PLDT and Smart, about the incident, and here's his suggestion on how to handle the issue:
1. Disable all member accounts 2. Send temporary passwords to all members through Mobile numbers 3. Implement OTP when members log in using temporary passwords 4. Force members to change passwords after confirming through OTP sent to mobile phones, and 5. Do all these in a different set of hardware/OS/System, do not use the compromised one.
In our talk, Mr. Redoble also calls for the "whole community approach" to stop cybercriminals from exploiting users. "This is not just securing our system or the people near us. We need to secure the whole community by using the knowledge and experience of all of us in the community. This means engaging with private, government, and private sectors to work together for a more secure online world." Redoble said.
UPDATE: Josen Perez de Tagle, VP for Corporate Communications of PAL, clarified that the data breach did not include login info and that cybercriminals would not be able to access account holders' data. PAL also sent the company's statement about the incident.
September 10, 2022
STATEMENT
Philippine Airlines was notified by Accelya, a third party IT service provider, that
Accelya's internal systems were affected by a cybersecurity incident.
Accelya is a global technology firm providing services to over 250 airlines worldwide.
The company confirmed that the cybersecurity incident impacted several of its clients
including PAL.
In the case of PAL, the Accelya incident involved limited information on a subset of
Mabuhay Miles customers who became members from 2015 to 2017, at most 12% of the
membership roster. The impacted information was limited only to member names, birth
dates, nationality, gender, join date, tier level and points balance. It did not include more
sensitive information such as contact details, credit card information, passport numbers,
membership passwords or flight ticketing information.
PAL has alerted the Philippine National Privacy Commission and is now notifying
affected customers of the incident. While the incident occurred outside of PAL’s systems
and the impact is limited, the affected customers were advised to change their frequent
flyer account passwords as a precautionary measure and adopt the best practice of
regularly updating their passwords for extra prudence.
"PAL is closely coordinating with Accelya who confirmed to us that the incident has
been contained. We urged Accelya to fortify security measures to ensure that there can be
no recurrence," said PAL Sr. Vice President and Data Protection Officer Alvin
Limqueco.
Accelya assured PAL and other affected airlines that it has stopped the spread of the
malware and put in place further security measures to prevent a similar incident from
happening in the future.
The cybersecurity incident had no effect on PAL's internal IT systems. "Safeguarding the
data of our customers and frequent flyer members has always been a top priority of
Philippine Airlines. We will do what is necessary to protect this information, in line with
our strict safety culture that applies to all our flights and every aspect of our operations,"
added Mr. Limqueco.