Boat biz breaches itself: Brittany Ferries 'fesses up to leaks caused by routine website update

Customers' passport data potentially exposed, says company, promises to carry out password testing


It's never good when a boat operator talks of a breach, even if in this case it's a figurative one.

Brittany Ferries has told some customers that an unforeseen technical glitch introduced after "routine" website maintenance had left their accounts wide open, potentially exposing very sensitive details to anyone who knew the linked email address.

The operator, which runs ships from the UK to ports in Spain, France, and Ireland, contacted punters on Tuesday with the bad news about a "breach to our data that might have an impact on your My Account with Brittany Ferries."

"In spite of our cyber vigilance and rigorous security checks, I'm sorry to confirm your account's protection settings were unintentionally changed between October 21st and November 2nd of this year," said Anne Laure Fabre, data protection officer at Brittany Ferries.

On day two of this month, she added, "we uncovered a fault in the authentication process used for My Account login details that meant any My Account could be accessed without the right password. We have traced this error back to October 21st during a routine website update. As soon as the fault was uncovered, our engineers and security team set to work immediately, diagnosing and resolving the issue on the same day it was discovered."

Portsmouth, Hampshire, UK June 27 2019 Britanny Ferries car ferry Mont St Michel arriving from Ouistreham, France

Britanny Ferries unit arriving from Ouistreham, France in 2019

A spokesperson at Brittany Ferries told The Reg a test procedure was omitted from the update process. "A patch was quickly applied which resolved the issue on the same day. Procedures have now been updated to ensure appropriate password tests are carried out every time a website update takes place."

The upshot? If someone knew the email address connected to a customer's My Account portal, they could have accessed that person's name, postal address, telephone number, booking references for past six months, passport number, date of birth and nationality (if added in October or early this month).

Fabre said she was assured by "experts" that the "risk of malicious intervention is exceptionally low and certainly there is no evidence that your data has been compromised. I do need to make you aware that this has happened and apologise accordingly."

Oh, and it might be a good idea to update your password "just in case", the data protection officer added.

One customer caught up in the breach told us he was "disappointed" that his passport data, which may be used to forge his identity, could have been accessed by unauthorised sorts, but that Brittany Ferries "don't seem to be able to say whether it's actually happened. Whatever happened to logging requests?"

The company spokesman told us that no customers had complained of having their data accessed. At least not yet. Some 25,000 customers details could have been accessed, he confirmed.

"Although I have to reiterate, the reason for notification is prudence and good practice. We think the likelihood of malicious attack is virtually nil bearing in mind 1) we uncovered the issue 2) there is no indication that any kind of malicious external activity took place 3) we resolved the issue quickly - and of course notified the authorities. We have advised all customers in a communication to change their password accordingly."

A spokesperson at the ICO told us the breach had yet to be reported to it by Brittany Ferries: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.

“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.” ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading

Biting the hand that feeds IT © 1998–2021