Hong Kong Airlines has issued a public apology after its Android mobile app reportedly leaked personal data of more than a hundred of its passengers, including their names, passport numbers and travel records.
The airline immediately suspended access to the app and a feature where non-members can make enquiries, Ming Pao Daily reports.
It promised a thorough investigation of the incident and said it is coordinating with a third-party agent to help prevent the repeat of such an incident.
The company has also filed a report to the Office of the Privacy Commissioner for Personal Data.
The OPCPD said leaking personal data of customers could have violated the principles of data security, although it does not constitute a criminal offense.
It said it will ask Hong Kong Airlines to introduce measures to plug the loopholes.
The security breach was first discovered by a Hong Kong Airlines customer surnamed Lam, Apple Daily reported.
Lam and his girlfriend logged into the app for online check-in as non-registered guests.
As they were going through the process, they were surprised to see a list of personal data of over a hundred other passengers available to anyone using the app.
When clicked, the records revealed the full name, Hong Kong ID number, flight information, seat number and boarding pass QR codes of the passengers.
A computer programmer himself, Lam was shocked to see that his and his girlfriend’s data was also on the list after they checked in online.
The two then canceled their online check-in record and repeated the process after signing up and logging in as a member. This time, they did not see their names and data appearing on the app again.
Lam believed the incident was a basic mistake on the programming side, and could have been avoided easily.
The data leak could pose security risks to the passengers on the compromised list.
A person can assume the name and passport number of one of the passengers, and then download and print the boarding pass of the original ticket owner, the report said.
Legislator Helena Wong Pik-wan said passenger names and passport numbers are personal data and airlines could be held liable for violation of the Personal Data (Privacy) Ordinance if such information are disclosed without the owner’s consent.
Dr. Karl Leung Ping-hung, head of the Department of Information Technology at the Hong Kong Institute of Vocational Education (Chai Wan), said the airline’s system could have mistakenly granted access rights to app users to see privileged information, Ming Pao Daily reported.
Leung said the same data breach could have happened on the iOS version of the app.
– Contact us at [email protected]