KrisFlyer miles returned to five SIA customers whose accounts were hacked, compromised

Five KrisFlyer members who had their accounts hacked, resulting in travel miles being transferred out, have had the transactions reversed by Singapore Airlines (SIA).

A spokesman for the airline said on Thursday that the miles had been credited back into the members’ accounts and those affected had been prompted to change their passwords.

Mr Nicholas Ong, who had 170,000 miles transferred out of his account on Oct 15, was relieved.

He realised his miles were gone when he received a notification that his KrisFlyer account details had been changed. KrisFlyer is the frequent flyer programme of SIA.

The 43-year-old creative consultant said: “It took me about eight years to save all those miles – 170,000 miles are almost enough to redeem two business class tickets to the US, and I had plans to use it to bring my family on a holiday.”

SIA said that between Oct 15 and 18, five KrisFlyer members’ accounts were accessed using e-mail addresses and passwords which the airline suspects were previously compromised on non-SIA Group websites.

The affected account holders were likely using the same compromised usernames and passwords for their KrisFlyer accounts, added the spokesman.

SIA said its investigations revealed unauthorised miles transfers and all five accounts were immediately suspended to prevent further miles usage.

It noted that the successful logins to the KrisFlyer member accounts were not due to a breach of SIA’s IT systems.

“SIA apologises to all affected KrisFlyer members for any inconvenience that this may have caused to them,” added the spokesman.

The airline did not mention how many miles were transferred out in all.

Mr Jesmond Chang, head of corporate communications for Asia Pacific at cyber-security firm Kaspersky, said passwords may be exposed in various ways: A victim may be targeted by someone he or she knows, or cyber criminals may use a software to run numerous possibilities of password combinations and steal them. Passwords can also be compromised if there is a data breach.

“When cyber-threat actors compromise websites and online accounts, they publish lists of usernames, e-mail addresses and passwords online or on the Dark Web,” said Mr Chang.

“When this happens, they start looking for other accounts that the person is associated with and once they find the accounts, they can try logging in with the exposed password."

In this case, he noted that apart from their air miles, affected users should not rule out the possibility that personal information such as passport details have been compromised.

“In our world, data leaks happen regularly and passwords get compromised. If you are using the same password for all accounts, just one leak means that all your accounts could be compromised. In other words, it’s not a two-birds-with-one-stone situation, but rather an all-eggs-in-one-basket one,” he added.

In September, Philippine Airlines suffered a cyber-security breach that led to thousands of its frequent flyers’ personal information being stolen. The attack was targeted at an IT provider for the airline and details stolen included names, dates of birth and nationalities of members who joined between 2015 and 2017.

How to create a strong password:

To protect yourself against the newest hacking methods, powerful passwords are needed. Here are some tips to create one, according to Kaspersky’s Mr Chang.

1. Is it long? Choose a password made up of 10-12 characters but aim to make it longer.

2. Is it hard to guess? You should avoid sequences like “12345” or “qwerty” because these can be hacked in seconds. Also, avoid common words like “password”.

3. Does it have varied character types? Lowercase, uppercase, symbols and numbers should be included in your password. Variety can increase how unpredictable your password is. 

4. Will you remember it? Use something that makes sense to you but is hard for computers to guess.

5. Have you used it before? Reusing passwords compromises multiple accounts. Make it original every time.