Boat biz breaches itself: Brittany Ferries 'fesses up to leaks caused by routine website update
Customers' passport data potentially exposed, says company, promises to carry out password testing
It's never good when a boat operator talks of a breach, even if in this case it's a figurative one.
Brittany Ferries has told some customers that an unforeseen technical glitch introduced after "routine" website maintenance had left their accounts wide open, potentially exposing very sensitive details to anyone who knew the linked email address.
The operator, which runs ships from the UK to ports in Spain, France, and Ireland, contacted punters on Tuesday with the bad news about a "breach to our data that might have an impact on your My Account with Brittany Ferries."
"In spite of our cyber vigilance and rigorous security checks, I'm sorry to confirm your account's protection settings were unintentionally changed between October 21st and November 2nd of this year," said Anne Laure Fabre, data protection officer at Brittany Ferries.
On day two of this month, she added, "we uncovered a fault in the authentication process used for My Account login details that meant any My Account could be accessed without the right password. We have traced this error back to October 21st during a routine website update. As soon as the fault was uncovered, our engineers and security team set to work immediately, diagnosing and resolving the issue on the same day it was discovered."
A spokesperson at Brittany Ferries told The Reg a test procedure was omitted from the update process. "A patch was quickly applied which resolved the issue on the same day. Procedures have now been updated to ensure appropriate password tests are carried out every time a website update takes place."
The upshot? If someone knew the email address connected to a customer's My Account portal, they could have accessed that person's name, postal address, telephone number, booking references for past six months, passport number, date of birth and nationality (if added in October or early this month).
Fabre said she was assured by "experts" that the "risk of malicious intervention is exceptionally low and certainly there is no evidence that your data has been compromised. I do need to make you aware that this has happened and apologise accordingly."
- Judge dismisses objections to spaceport in Scotland from billionaire who also wants to build spaceport in Scotland
- 'Welcome to Perth' mirth being milked for all it's worth
- Avoiding Liverpool was the aim: All aboard the world's ONLY moving aqueduct
- UK data spillers fined, but enforcement slows: £5m in ICO penalties not yet paid
- Zoom-o-cracy: Wales MP misses vote, allowing COVID-passport rule change, blames the IT dept
Oh, and it might be a good idea to update your password "just in case", the data protection officer added.
One customer caught up in the breach told us he was "disappointed" that his passport data, which may be used to forge his identity, could have been accessed by unauthorised sorts, but that Brittany Ferries "don't seem to be able to say whether it's actually happened. Whatever happened to logging requests?"
The company spokesman told us that no customers had complained of having their data accessed. At least not yet. Some 25,000 customers details could have been accessed, he confirmed.
"Although I have to reiterate, the reason for notification is prudence and good practice. We think the likelihood of malicious attack is virtually nil bearing in mind 1) we uncovered the issue 2) there is no indication that any kind of malicious external activity took place 3) we resolved the issue quickly - and of course notified the authorities. We have advised all customers in a communication to change their password accordingly."
A spokesperson at the ICO told us the breach had yet to be reported to it by Brittany Ferries: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.
“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.” ®