Etihad Airways is investigating a potential data breach after an anonymous source sent Gulf News personal details of “around seven thousand individuals from Etihad’s loyalty programme”.
The data breach is believed to have been caused by a third party that worked with the airline in 2013 to run a promotional campaign.
The leaked data includes:
- Email addresses
- Phone numbers
- IP addresses
Etihad has assured its customers that the data breach “does not include sensitive or financial information, and presents no threat to the security of Etihad Guest member’s accounts.”
An Etihad spokesperson told Gulf News that “It also appears this information was misappropriated from a marketing vendor involved in a promotional campaign in 2013. As a consequence, Etihad Airways is considering all its legal options as a matter of priority.”
EmailCiti founder Khaled Jabasini confirmed that the leaked personal details came from a promotional website that EmailCiti had built for Etihad in 2013.
Etihad Airways is no longer working with EmailCiti.
Securing the supply chain
This breach further highlights the threat posed by insecure third parties. I’ve previously spoken to IT Governance’s founder and executive chairman, Alan Calder, about the supply chain:
“Organisations are only as secure as their weakest link. Alongside your own security efforts, it’s vital that you ensure your supply chain is equally secure. An attack on a single link in a supply chain can have devastating effects further down the line.”
ISO 27001 and the supply chain
Organisations that want to protect their data assets and ensure there aren’t any weak spots in their supply chain should immediately look at ISO 27001.
The international standard ISO 27001 sets out the requirements of an information security management system (ISMS) – a holistic approach to information security that encompasses people, processes and technology, and which can be applied throughout the supply chain: once you’ve certified your ISMS to the Standard you can demand that your suppliers do the same, demonstrating to stakeholders, customers and staff that information security best practice is followed.