Delta locks some customer accounts over security concern: What to know

HARRISBURG, Pa. (WHTM) — If you have a flight with Delta Air Lines coming up, it might be a good idea to ensure you can access your frequent flier account before heading to the airport.

The airline has restricted access to some customers’ frequent flier accounts due to cybersecurity concerns identified earlier in the week and did not immediately inform those customers. This information was given by two different reservation agents on separate occasions on Saturday to an affected customer, a reporter for Nexstar’s WHTM.

The possible security breach occurred last week, according to the details provided. The reporter encountered the issue on Saturday while attempting to log into the airline’s system to check in for a flight planned for Sunday. The login was unsuccessful, as was an attempt to reset the password.

This previously unreported issue occurred while Delta also worked to recover from a severe storm at its Atlanta hub, which caused the airline to cancel nearly 1,000 flights Friday and Saturday.

The reporter called the airline’s reservations center, where an agent immediately recognized the problem and said a known issue, regarding concerns about a potential security breach, had impacted a large number of customers earlier in the week, and those customers’ accounts had been locked. The agent said the customer, like others impacted, had to upload a photo of a valid government ID (such as a driver’s license) to verify his identity.

The agent helped the reporter navigate to a form on the airline’s website through which the photo could be uploaded. She said because of the large number of customers impacted, the requests were taking time to address; the reporter could call back later for further manual assistance over the phone if the issue wasn’t addressed in time.

“Delta SkyMiles accounts are secure,” a company spokesperson said in a statement, responding to questions about the issue. SkyMiles is the airline’s frequent flier program. “As we do occasionally, out of an abundance of caution, we reset credentials for accounts and ask that customers verify them with us to maintain security of the accounts. We apologize for any inconvenience this might cause.”

A different agent later in the day, assisting the reporter further, also recognized the issue immediately and said about 68,000 customers had been impacted. The spokesperson declined to comment further.

The 68,000 customers would represent fewer than 1% of Delta’s approximately 130 million SkyMiles members, and it was unclear whether any accounts had actually been breached, as opposed to whether, for example, hackers had unsuccessfully attempted to breach the airline’s systems.

But two security experts said the airline’s handling of the issue — locking customer accounts but not immediately notifying the impacted customers that they should attempt to reset their account credentials to regain access — was unusual.

“This is the first time I’ve ever heard of a company doing something like this without notifying customers,” Jonathan Weissman, a principal lecturer at the Rochester (New York) Institute of Technology’s cybersecurity department, said Saturday night. “It makes no sense that they would lock the accounts and not tell the customers that the accounts have been locked.”

Weissman said companies often require customers to reset their passwords, even after successfully blocking hackers from accessing an account, but they typically notify customers immediately when that happens so the customers can address the issue calmly and at their convenience rather than when they have an immediate need to access the company’s website or app.

“Locking the accounts is a good, safe measure,” Weissman said of Delta’s initial step. “But not communicating that fact to the affected customers can cause mass confusion and problems with people boarding flights eventually. The information should be forthcoming from [Delta], not in response to questions from customers.”

Weissman said it’s possible the airline doesn’t know the extent of the issue, but if it knew enough to lock the accounts, it should have notified customers of that action and their need to set new passwords at the same time.

Another cybersecurity expert, also speaking Saturday night, agreed.

“They need to come clean and do their best job of notifying everybody affected,” said Scott Schober, CEO of a New Jersey-based cybersecurity company called BVS and author of several books about cybersecurity. “At a minimum, they could alert you so you can take action, and then provide more information as they learn it.”

Less than half an hour after the first agent helped the reporter navigate the process of uploading the photo of his driver’s license, he received this message:

(WHTM)

But the password reset didn’t work. The reporter called and spoke with another agent who was also familiar with the issue and was able to help successfully reset the password, resulting in a successful account login.

Delta is generally well-regarded among U.S. airlines, sometimes ranking higher than all others in customer surveys and analyses of metrics such as airline punctuality.

You May Also Like

'Hell on wheels' killer Mackenzie Shirilla poses for prison photoshoot after legal setback

Mackenzie Shirilla Poses for New Prison Photos After Legal Setback

Convicted murderer Mackenzie Shirilla, the Ohio woman whose case drew national attention…
City council members question Emergency Assistance Center effectiveness as another opens after Garfield Park, Chicago shooting

Chicago Council Members Question Emergency Assistance Center Impact as New Site Opens After Garfield Park Shooting

CHICAGO (WLS) — A West Side wellness hub that provides community support…
Raleigh mayor considers youth curfew following teen takeover, violent July 4th weekend

Raleigh Mayor Weighs Youth Curfew After Teen Takeover, Violent July 4 Weekend

Raleigh, North Carolina, Mayor Janet Cowell is considering a curfew for minors…
Ohio cold case reportedly solved as man is charged in 1985 hotel murder linked to Georgia Cracker Barrel clue

Ohio Cold Case Breakthrough: Man Charged in 1985 Hotel Murder After Georgia Cracker Barrel Clue

More than 40 years after a traveling auto parts salesman was found…
Dana Williamon — Gavin Newsom's ex-chief of staff — gets sentencing date

Former Gavin Newsom Chief of Staff Dana Williamson Gets Sentencing Date

Dana Williamson, a former chief of staff to Gov. Gavin Newsom, is…
Microsoft to cut more than 3,000 jobs from ailing Xbox unit

Microsoft to Cut More Than 3,000 Jobs in Struggling Xbox Division

Microsoft announced Monday that it plans to eliminate 3,200 jobs across its…
Will County, Illinois Democrats move to replace former Rep. Harry Benton after undisclosed ethics findings

Will County Democrats Seek Replacement for Former Illinois Rep. Harry Benton After Ethics Findings

PLAINFIELD, Ill. (WLS) — Efforts are now moving forward to fill the…
Florida man pulls pistol on teens who mistakenly fired water pellet gun at his car

Florida Man Pulls Pistol on Teens After Water Pellet Gun Mistakenly Hits His Car

A water-gun prank in Florida took a frightening turn when a real…
Marco Rubio Puts on a Masterclass When Asked About FIFA Reversing Red Card for USMNT's Balogun

Marco Rubio Delivers a Perfect Response to FIFA Reversing USMNT Star Balogun’s Red Card

It likely was not the question Secretary of State Marco Rubio anticipated,…
Brittany Armstrong charged with involuntary manslaughter after illegal fireworks start fire that killed Cashmere Elijah Parker in Dunn, North Carolina

Brittany Armstrong Charged After Illegal Fireworks Spark Fatal Dunn Fire That Killed Cashmere Elijah Parker

DUNN, N.C. — Authorities in Dunn, North Carolina, have released new information…
Malibu influencer in deadly 4th of July crash blames rideshare driver

Malibu Influencer Says Rideshare Driver Caused Fatal Fourth of July Crash

Instagram influencer Summer Wheaton has pleaded not guilty to charges tied to…
Judge rejects Justice Department's attempt to obtain names of 2020 election workers in Georgia

Judge Blocks DOJ Request for Names of Georgia 2020 Election Workers

ATLANTA — A federal judge ruled Tuesday that the US Department of…