Copyright 2000 Star Tribune
Star Tribune
(Minneapolis, MN)
January 8, 2000, Saturday, Metro Edition
SECTION: BUSINESS; Pg. 1D
LENGTH: 731 words
HEADLINE:
Some online customers lose privacy in NWA gaffe;
Mistake leaves some
personal data vulnerable
BYLINE: Tony Kennedy; Staff
Writer
BODY:
A programmer's mistake in the online
booking system at Northwest Airlines left the credit card numbers and other
personal information of some customers without full
privacy protection, the airline said Friday.
The Eagan-based carrier this week alerted
those who made online transactions during the period in question. Northwest
declined to specify the timing of the lapse, nor would it say how many customers
made transactions on the under-protected system.
"We believe the risk is very slight,"
Northwest spokesman Jon Austin said. "We put steps in place to prevent it from
happening again." In e-mails to affected
customers, the airline said, "We have no evidence to indicate that this
situation has resulted in any breach of privacy." But the notices urged the
customers to contact Northwest immediately "if you believe you have experienced
fraudulent use of your credit card due to this situation."
By late Friday, the airline had not
received any reports of suspected fraud, Austin said.
No matter the consequences, the incident
gave independent travel agents ammunition to keep customers from straying onto
the Internet to book airline tickets _ a growing practice that many agents
believe is a threat to their livelihoods.
Airlines throughout the United States have
been encouraging online booking because it saves them from paying commissions to
travel agents.
"For someone to risk having
a credit card out there in cyberspace is an unnecessary risk," said Sharon Walsh
of Schilling Travel in Minneapolis. "It's a mystery why people would do that."
She said there is a false perception among
some travelers that travel agents can't match the deals they get by booking
directly online with airlines.
"Many times
we can do better," Walsh said.
James
Ashurst, a spokesman for the American Society of Travel Agents, a national trade
organization based in Washington, D.C., said major airlines have the systems to
provide adequate privacy protection for online booking. But the Northwest
example is a reminder that those systems can break down.
"There is a lot of peace of mind to be had
in dealing with human beings," Ashurst said. "The technology may be there, but
the comfort level isn't, and stories like these don't do much to increase
consumer confidence."
.
Customer noticed problem
The problem at Northwest arose on the
WorldPerks frequent flier award booking section of http://www.nwa.com, the
airline's official Web site. Northwest told affected customers that their names,
addresses, telephone numbers and credit card numbers may have been transmitted
without full privacy protection.
Northwest
discovered the problem when a customer didn't see a small "lock" icon as he
placed his order in mid-December. He notified the carrier that the information
was not secure.
Austin said a WorldPerks
computer programmer doing maintenance on the site forgot to restore the security
system. The WorldPerks database wasn't left unprotected, he said. Rather, the
individual transactions were left unprotected en route to Northwest's computer
because they were transmitted without encryption.
"The integrity of the Web site is
unaffected by this," Austin said.
For any
person to tamper with the credit card numbers and other personal information,
they must have had access to the live data stream or now have access to archives
of the data stream, Austin said. The company isn't disclosing how long the
encryption layer was missing because it would provide a clue to someone who
wanted to hack into archived information.
"We're guarding against a very small
possibility," Austin said.
Andrew Shen,
policy analyst for epic.org, an electronic privacy information center,
criticized Northwest for being careless. He said the use of credit cards in
electronic commerce can be safe for consumers, but only when companies are
vigilant about protecting customers' privacy.
"It's an example of one company being
sloppy. Customers will start to lose trust in them," Shen said. "Privacy and
security is the foremost concern that any company should have with their online
operations."
As part of Northwest's
apology to individuals who made transactions during the encryption breakdown,
the airline is offering them each 5,000 WorldPerks miles.
LOAD-DATE: January 13, 2000
