On-line Air Miles files left accessible

Normally it’s hackers who manage to breach security measures and pull personal and proprietary information off of Web sites. In the case of the Air Miles site breach the “culprit” was just looking to do the site’s owners, The Loyalty Group, a favour.

The Breach

About a year and a half ago, Terry Hamilton, president of iAssist Computing Services Inc., a Scarborough Ont.- based computer consulting and integration firm, was teaching a friend about Web page authoring. He happened to be on the Air Miles site, and noticed that the cgi-bin directory was accessible to casual surfers.

“I didn’t think anything about it. I thought maybe the webmaster was updating the page and the file was exposed,” Hamilton said. A couple of weeks ago Hamilton was doing some on-line banking and decided to sign up for an Air Miles card on-line. Upon hitting the site, he recalled his earlier visit and checked the cgi-bin. It was still accessible. The 170KB file contained names, addresses and account numbers of about 30,000 Air Miles customers. Also accessible was the log file, which apparently contained answers to questions that are required when filling out an application, including business contact information and average income.

He decided against signing up for a card.

“This time I was concerned, because it was going to be my information posted,” explained Hamilton.

Instead, he e-mailed The Loyalty Group to notify the company of the oversight. He also contacted a number of media outlets with the information.

The Response

The Loyalty Group’s first action was to shut the Web site down until it could figure out what was compromised and how it could be fixed. According to John Wright, vice-president and general manager, Air Miles business program, the Toronto-based firm took a three-step approach to the task.

“We had our IT group take a look to see what had happened. The next step was to bring in some external Web site security experts, and they built a security back-up on that one sub directory file, and then they made sure they strengthened the protection on the entire site as well. Then we brought in Ernst & Young and they did a security audit on our site because we wanted to make sure that everything was absolutely secure before we went back up on-line.

“Once they were done they were very happy with the audit, and they gave us what they called their Cyber Assurance approval. Then we went back up on-line.”

DAta Security

Wright explained that even though the customer information was exposed on the Air Miles site, the Air Miles points collectors have nothing to worry about. Hamilton destroyed the information he downloaded, as did the media companies he e-mailed. In addition, he said the information was not stored in an easy-to-use format.

“It would have been some of the information they put down on their enrolment form. The key thing is that wasn’t a copy of the enrolment form. It is what is called a tracking log version of it. It’s not encoded, but it is in a code format. You can’t go into it and look at a form. You look at lines of code that have information in it.”

In addition, Wright offered assurances that the main production database was and always will be safe.

“The Web site itself is not connected in any way to our main production database, and that is what houses all the main collector information as well as the purchasing information. Our main customer database is separate physically and has eight layers of protection including encryption technology so it is absolutely secure and was not affected at all by the Web site.”