HARRISBURG, Pa. (WHTM) — If you have a flight with Delta Air Lines coming up, it might be a good idea to ensure you can access your frequent flier account before heading to the airport.
The airline has restricted access to some customers’ frequent flier accounts due to cybersecurity concerns identified earlier in the week and did not immediately inform those customers. This information was given by two different reservation agents on separate occasions on Saturday to an affected customer, a reporter for Nexstar’s WHTM.
The possible security breach occurred last week, according to the details provided. The reporter encountered the issue on Saturday while attempting to log into the airline’s system to check in for a flight planned for Sunday. The login was unsuccessful, as was an attempt to reset the password.
This previously unreported issue occurred while Delta also worked to recover from a severe storm at its Atlanta hub, which caused the airline to cancel nearly 1,000 flights Friday and Saturday.
The reporter called the airline’s reservations center, where an agent immediately recognized the problem and said a known issue, regarding concerns about a potential security breach, had impacted a large number of customers earlier in the week, and those customers’ accounts had been locked. The agent said the customer, like others impacted, had to upload a photo of a valid government ID (such as a driver’s license) to verify his identity.
The agent helped the reporter navigate to a form on the airline’s website through which the photo could be uploaded. She said because of the large number of customers impacted, the requests were taking time to address; the reporter could call back later for further manual assistance over the phone if the issue wasn’t addressed in time.
“Delta SkyMiles accounts are secure,” a company spokesperson said in a statement, responding to questions about the issue. SkyMiles is the airline’s frequent flier program. “As we do occasionally, out of an abundance of caution, we reset credentials for accounts and ask that customers verify them with us to maintain security of the accounts. We apologize for any inconvenience this might cause.”
A different agent later in the day, assisting the reporter further, also recognized the issue immediately and said about 68,000 customers had been impacted. The spokesperson declined to comment further.
The 68,000 customers would represent fewer than 1% of Delta’s approximately 130 million SkyMiles members, and it was unclear whether any accounts had actually been breached, as opposed to whether, for example, hackers had unsuccessfully attempted to breach the airline’s systems.
But two security experts said the airline’s handling of the issue — locking customer accounts but not immediately notifying the impacted customers that they should attempt to reset their account credentials to regain access — was unusual.
“This is the first time I’ve ever heard of a company doing something like this without notifying customers,” Jonathan Weissman, a principal lecturer at the Rochester (New York) Institute of Technology’s cybersecurity department, said Saturday night. “It makes no sense that they would lock the accounts and not tell the customers that the accounts have been locked.”
Weissman said companies often require customers to reset their passwords, even after successfully blocking hackers from accessing an account, but they typically notify customers immediately when that happens so the customers can address the issue calmly and at their convenience rather than when they have an immediate need to access the company’s website or app.
“Locking the accounts is a good, safe measure,” Weissman said of Delta’s initial step. “But not communicating that fact to the affected customers can cause mass confusion and problems with people boarding flights eventually. The information should be forthcoming from [Delta], not in response to questions from customers.”
Weissman said it’s possible the airline doesn’t know the extent of the issue, but if it knew enough to lock the accounts, it should have notified customers of that action and their need to set new passwords at the same time.
Another cybersecurity expert, also speaking Saturday night, agreed.
“They need to come clean and do their best job of notifying everybody affected,” said Scott Schober, CEO of a New Jersey-based cybersecurity company called BVS and author of several books about cybersecurity. “At a minimum, they could alert you so you can take action, and then provide more information as they learn it.”
Less than half an hour after the first agent helped the reporter navigate the process of uploading the photo of his driver’s license, he received this message:
But the password reset didn’t work. The reporter called and spoke with another agent who was also familiar with the issue and was able to help successfully reset the password, resulting in a successful account login.
Delta is generally well-regarded among U.S. airlines, sometimes ranking higher than all others in customer surveys and analyses of metrics such as airline punctuality.
