Boat biz breaches itself: Brittany Ferries 'fesses up to leaks caused by routine website update

Customers' passport data potentially exposed, says company, promises to carry out password testing

It's never good when a boat operator talks of a breach, even if in this case it's a figurative one.

Brittany Ferries has told some customers that an unforeseen technical glitch introduced after "routine" website maintenance had left their accounts wide open, potentially exposing very sensitive details to anyone who knew the linked email address.

The operator, which runs ships from the UK to ports in Spain, France, and Ireland, contacted punters on Tuesday with the bad news about a "breach to our data that might have an impact on your My Account with Brittany Ferries."

"In spite of our cyber vigilance and rigorous security checks, I'm sorry to confirm your account's protection settings were unintentionally changed between October 21st and November 2nd of this year," said Anne Laure Fabre, data protection officer at Brittany Ferries.

On day two of this month, she added, "we uncovered a fault in the authentication process used for My Account login details that meant any My Account could be accessed without the right password. We have traced this error back to October 21st during a routine website update. As soon as the fault was uncovered, our engineers and security team set to work immediately, diagnosing and resolving the issue on the same day it was discovered."

Portsmouth, Hampshire, UK June 27 2019 Britanny Ferries car ferry Mont St Michel arriving from Ouistreham, France

Britanny Ferries unit arriving from Ouistreham, France in 2019

A spokesperson at Brittany Ferries told The Reg a test procedure was omitted from the update process. "A patch was quickly applied which resolved the issue on the same day. Procedures have now been updated to ensure appropriate password tests are carried out every time a website update takes place."

The upshot? If someone knew the email address connected to a customer's My Account portal, they could have accessed that person's name, postal address, telephone number, booking references for past six months, passport number, date of birth and nationality (if added in October or early this month).

Fabre said she was assured by "experts" that the "risk of malicious intervention is exceptionally low and certainly there is no evidence that your data has been compromised. I do need to make you aware that this has happened and apologise accordingly."

Oh, and it might be a good idea to update your password "just in case", the data protection officer added.

One customer caught up in the breach told us he was "disappointed" that his passport data, which may be used to forge his identity, could have been accessed by unauthorised sorts, but that Brittany Ferries "don't seem to be able to say whether it's actually happened. Whatever happened to logging requests?"

The company spokesman told us that no customers had complained of having their data accessed. At least not yet. Some 25,000 customers details could have been accessed, he confirmed.

"Although I have to reiterate, the reason for notification is prudence and good practice. We think the likelihood of malicious attack is virtually nil bearing in mind 1) we uncovered the issue 2) there is no indication that any kind of malicious external activity took place 3) we resolved the issue quickly - and of course notified the authorities. We have advised all customers in a communication to change their password accordingly."

A spokesperson at the ICO told us the breach had yet to be reported to it by Brittany Ferries: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.” ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022