Where personal data is concerned, what’s safe today may not be safe tomorrow

Does your airline really understand and provide data security?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A friend­ly reminder to orga­ni­za­tions in reg­u­lar com­mu­ni­ca­tion with the pub­lic: You nev­er know who John Q. Pub­lic is; for exam­ple, it could be me—Adam K. Levin. (Not to be con­fused with the singer of the almost same name—Adam Levine.) But there are a bunch of Adam Levins, which is why my mid­dle name (Ken­neth) and ini­tial (K) actu­al­ly matter.

Here’s the short ver­sion of my recent saga with Amer­i­can Air­lines. The name on my tick­et (where mid­dle names count) didn’t match the name on my rewards pro­gram (no mid­dle name). Because of this incon­gruity, there were sev­er­al instances when my mileage didn’t get cred­it­ed to my fre­quent-fli­er pro­gram, and I decid­ed it was high time to bring my rewards name into con­gruity with my TSA-required name. So I con­tact­ed Amer­i­can Air­lines to set the record straight.

Far from rolling out a Maroon 5 car­pet, they were doing the respon­si­ble thing—making sure that my “K” was real­ly was mine, con­firm­ing what it stood for, and that it also was rec­og­nized by a gov­ern­ment agency. Specif­i­cal­ly, they want­ed “legal doc­u­men­ta­tion sup­port­ing the name, gen­der or birth date update.” So, in addi­tion to my AAd­van­tage num­ber, I was told to pro­vide one of the fol­low­ing: marriage/divorce cer­tifi­cate or oth­er “Name Change doc­u­ment;” “one gov­ern­ment-issued ID that includes BOTH the cur­rent name on the account and the new name” (hard to visu­al­ize that ID), or “two gov­ern­ment-issued IDs, one in the cur­rent name on the account and the oth­er in the new name.”

Resist the urge to cooperate

As if the doc­u­men­ta­tion wran­gling required were not issue enough, there was anoth­er prob­lem. They were ask­ing me to do some­thing that, in my pro­fes­sion­al life, I tell peo­ple nev­er to do, because data secu­ri­ty is my thing.

Adam Levin, chairman and co-founder of Credit.com and IDT911
Adam Levin, chair­man and co-founder of Credit.com and IDT911

The email I received said: “If you wish to email this doc­u­men­ta­tion back to us, sim­ply reply to this email. … Attach a copy of your documentation. …”

When I saw the words “attach a copy of your doc­u­men­ta­tion” men­tioned in the same para­graph with the word “email,” my first reac­tion was: “Hous­ton (or actu­al­ly Fort Worth), we have a problem.”

There were no instruc­tions regard­ing pass­words or registration/authentication for secure email. It was clear­ly not a secure sys­tem like Zix or oth­ers, which require authen­ti­ca­tion and a pass­word to both send and receive encrypt­ed infor­ma­tion on an https plat­form. This was sim­ply plain old email.

Now for those of you who have day jobs that are not in the data secu­ri­ty world, email—or rather a deft use of it as a deliv­ery sys­tem for mali­cious code—has exposed many a cor­po­rate data­base or home com­put­er to cyber and iden­ti­ty thieves. Email isn’t safe.

So, I did what any data secu­ri­ty colum­nist would do. I reached out to a media rela­tions rep­re­sen­ta­tive at Amer­i­can. I was assured that email was secure.

We still had a problem.

Be inse­cure about security

Regard­ing the kind of email that I had received, I was told, “When mem­bers reply to this email it remains with­in the secure email sys­tem; how­ev­er, we do offer a fax option for mem­bers who pre­fer that method. All cor­re­spon­dence com­ing from and replied to this AAd­van­tage Cus­tomer Ser­vice email address is sent through a secure sys­tem, so only autho­rized Amer­i­can rep­re­sen­ta­tives can view these messages.”

I’m going to say it again: A secure sys­tem requires a pass­word and authentication.

I asked if the com­pa­ny had a CISO (i.e, a Chief Infor­ma­tion Secu­ri­ty Offi­cer). The com­mu­ni­ca­tions rep­re­sen­ta­tive didn’t know. I asked a series of ques­tions that only a CISO or Chief Infor­ma­tion Offi­cer could answer, and the rep said she had to see if it would be pos­si­ble to ask American’s CIO a few questions.

Answers raise more questions

I next received this:

Unfor­tu­nate­ly, we can­not get our CIO on the phone today but I can con­firm we have a CIO and CISO that work for our orga­ni­za­tion. Please see our state­ment below and thank you again for your patience.

We take data secu­ri­ty and pri­va­cy of our cus­tomers very seri­ous­ly. To ver­i­fy this customer’s request to change a name pre­vi­ous­ly pro­vid­ed to us on a book­ing, we required the sub­mis­sion of the types of iden­ti­fi­ca­tion asked for in our email response to the cus­tomer. Only pre­vi­ous­ly autho­rized Amer­i­can Air­lines rep­re­sen­ta­tives are allowed to access the infor­ma­tion trans­ferred to us by the customer.

To con­firm the iden­ti­ty of inquir­ing cus­tomers, we require that cus­tomers call us or log into their AAd­van­tage account to sub­mit a query, to which our rep­re­sen­ta­tives respond through our secure sys­tem to the customer’s email address pro­vid­ed. Once the cus­tomer emails these doc­u­ments back to us, that email and the attached doc­u­ments are ver­i­fied by our sys­tem and stored in a pro­tect­ed email serv­er to which only our cus­tomer rep­re­sen­ta­tives have access.

If the cus­tomer wish­es to pro­vide us with the infor­ma­tion via alter­nate means, such as fax, they are able to do so.

sh_airport_280How­ev­er, we are con­stant­ly eval­u­at­ing our prac­tices to bet­ter ensure our cus­tomers’ data pri­va­cy and secu­ri­ty, and we thank you for bring­ing this issue, which we are con­tin­u­ing to inves­ti­gate, to our atten­tion. We have plans in the near future to enable cus­tomers who have logged in on aa.com to upload doc­u­ments direct­ly into our secure sys­tem as anoth­er alter­na­tive to pro­vid­ing doc­u­ments to us.

Fol­low-up ques­tions regard­ing the CISO and their best practices—there is some­one on LinkedIn who lists CISO at Amer­i­can Air­lines as his cur­rent employment—went unanswered.

Same sce­nario; dif­fer­ent outcome 

Con­trast this with the con­ver­sa­tion I had with a com­mu­ni­ca­tions depart­ment rep at Unit­ed Air­lines, who imme­di­ate­ly knew not only that the com­pa­ny had a CISO, but told me that Unit­ed only accept­ed cus­tomers’ sup­port­ing evi­dence for doc­u­men­ta­tion of the kind I was asked to give in a secure https envi­ron­ment. No email allowed.

Gen­er­al­ly speak­ing, if your com­pa­ny has a CISO, you know it. They train you until you can be trained no more and then train you again. They demand that you change pass­words often. They ask you to install things on per­son­al devices. They insist on strong authen­ti­ca­tion sys­tems. They make log­ging into Wi-Fi net­works much hard­er than you thought human­ly pos­si­ble. They are a demand­ing lot. They must be. Their respon­si­bil­i­ties go far beyond mak­ing sure that the net­work works. Their mis­sion is to ensure that data is safe in a world where data­bas­es are under attack 247. If no train­ing and nonex­is­tent tech­nol­o­gy archi­tec­ture are part of the prob­lem, the work a CISO does is gen­er­al­ly part of the solution.

There are some sol­id strate­gies for orga­ni­za­tions look­ing to get into bet­ter data secu­ri­ty shape. In my forth­com­ing book on iden­ti­ty theft and cyber­se­cu­ri­ty, I talk about CyberEdge CEO Steve Piper’s pre­scrip­tion for a behav­ior change that needs to occur: we need to ask the right ques­tions. Here are a few of them:

  1. Is there a secu­ri­ty tech­nol­o­gy we have overlooked?
  2. Have we made enough invest­ment in employ­ee secu­ri­ty awareness?
  3. Do we have the abil­i­ty to decrypt Secure Sock­ets Lay­er (SSL) traf­fic to find hid­den threats?
  4. Are we prop­er­ly mon­i­tor­ing priv­i­leged user accounts?
  5. Are we doing the right things to reduce our attack­able surface?

This last ques­tion begs a mil­lion oth­ers. Your attack­able sur­face is as change­able as tech­no­log­i­cal advances, which means what is safe today may no longer be secure tomor­row morning.

Full dis­clo­sure: IDT911 spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its partners.

Adam Levin is chair­man and co-founder of Credit.com and IDT911. His expe­ri­ence as for­mer direc­tor of the New Jer­sey Divi­sion of Con­sumer Affairs gives him unique insight into con­sumer pri­va­cy, leg­is­la­tion and finan­cial advo­ca­cy. He is a nation­al­ly rec­og­nized expert on iden­ti­ty theft and credit.

More on iden­ti­ty theft:
Iden­ti­ty Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Iden­ti­ty Has Been Stolen?