Asiana Airlines - South Korea's second-largest air carrier - has admitted that some of its passengers' data has been "compromised", and says it is now investigating the scope of that breach.
Tens of thousands of documents were posted online, including passport scans, home addresses, bank account details and records of some passengers' family members. The breach affects not just Korean nationals, but also foreign travellers on Asiana, and some who flew with its Star Alliance partners, including United Airlines, Lufthansa, Singapore Airlines and SAS, among others.
The Korea Times reports having seen hundreds of scanned documents belonging to these passengers - but those published online are believed to number around 47,000 in total. The means by which the information was seemingly obtained raises concerns over Asiana's security measures.
The data and scanned documents were apparently attached to customer service queries by passengers to the airline, and were stored on a server associated with the Frequently Asked Questions (FAQ) section of its website.
In a statement to The Korea Times, Asiana said:
Customers' information that has been saved on the FAQ server since May 2015 seems to have been compromised. An investigation is underway to verify the scope of compromised data.
In a further statement posted on its website, the airline added:
PLEASE NOTE that Asiana Airlines is undergoing an investigation into a potential security breach that may have compromised the personal information of some of our customers.
This security breach is limited to ONLY those customers who uploaded and/or attached documents through the "Contact Us" feature on Asiana Airlines’ website from May 2015 to the present.
According to our internal report, we ascertained the possibility of exposed documents on our website's 'Contact Us' section. Asiana Airlines is still investigating this potential breach and will continue to monitor its security system to determine which, if any, customers’ personal information was compromised.
Once the investigation is complete, Asiana Airlines will immediately contact customers whose personal information has been compromised.
We deeply apologize for any inconvenience and concern this may cause to our customers.
The computer engineer who first flagged the breach indicated that the airline's security measures to protect that server were far from adequate: "No hacking skills were required to retrieve [the data]. Just basic knowledge of web development."
Other experts have expressed similar concerns, describing Asiana's security efforts on its site as "extremely poor".
In addition to Asiana's own internal investigation, Korean authorities are also looking into the breach, and the subsequent leaking of passenger information.