Hack of JetBlue Network for Crew Members Went Undetected for 3 Years
JetBlue passengers deserve to know that a cyber attack on JetBlue’s computer network went undetected for more than three years. Even though the files allegedly accessed contained crew members’ information only, it is still an incident that customers should be aware of.
JetBlue was among more than a dozen corporate victims embroiled in the largest global computer hacking scheme and credit card breach ever prosecuted in the U.S., and details have emerged about the incident.
Federal prosecutors indicted five men yesterday in a global hacking scheme in which more than 160 million credit card numbers were allegedly stolen, resulting “in hundreds of millions of dollars in losses and is the largest such scheme every prosecuted in the United States,” the U.S. Attorney’s in Newark, New Jersey, announced.
On June 24, 2011, JetBlue informed crew members — but not the general public or customers — that it learned in April of that year that malware had been placed on JetBlue systems with files “containing confidential business information as well as personal information including the names, social security numbers and retirement fund account balances of Crewmembers employed by JetBlue since 2005. We would like to emphasize that, to date, we have no evidence that your personal information was actually obtained or has been misused.”
The indictment yesterday puts the incident in the public spotlight and contains new details.
The hack was in place for more than three years, from around January 2008 until February 2011, according to the indictment, which says defendant Aleksandr Kalinin used a server in Odessa to make a file transfer connection to a server in the Bahamas that was used in the hack of JetBlue and also Nasdaq.
JetBlue spokesperson Tamara Young tells Skift today that JetBlue still believes that no crew member personal or financial information was actually obtained or misused.
However, the indictment seems to contradict JetBlue’s statement that no such information was obtained.
The indictment states that defendants “obtained information from those computers, Namely Log-In Credentials, Personal Data, and Card Numbers, for the purpose of commercial advantage and private financial gain” from JetBlue in January 2008, and from 7-Eleven, JC Penney, Heartland, Wet Seal, and Dow Jones from 2007 to 2009.
JetBlue informed crew members about the breach more than two months after it learned of the cyber attack, and three and a half years after the breach began.
JetBlue apparently never made an announcement about the computer-network breach to passengers and the general public, who might be concerned about JetBlue’s data-security safeguards.
JetBlue did inform several state attorneys general about the network hack, including those in Maryland [see letter below] and New Hampshire, where 134 and 178 JetBlue crew members, respectively, may have been impacted. Some states have laws requiring such disclosures, and JetBlue stated that it notified employees of the breach.
JetBlue informed the state attorney generals of Maryland and New Hampshire in late June 2011 that it launched an internal investigation of the hack when it learned about it, and removed the malware.
In response to questions about the hack, Young of JetBlue stated today:
As this is an ongoing legal matter, we decline to comment on the specifics. What we can tell you is that once we were made aware of the potential breach, we took the following actions:
1 – We took the appropriate IT security actions (The breach occurred in an older information system that has since been dismantled. Part of JetBlue’s IT strategy is to replace these older systems in favor of newer, more robust systems.)
2 – We made credit monitoring services available to any crewmember whose information was contained in the affected system.
3 – We fully cooperated with law enforcement on the investigation.
JetBlue purchased for potentially impacted crew members a years’ worth of Debix Identity Protection Services, including credit monitoring and up to $1 million in identity theft insurance coverage.
How should JetBlue’s customers view the incident?
Crew members were informed about it several months after it occurred and passengers have never been forewarned.
When JetBlue states that its “IT strategy is to replace these older systems in favor of newer, more robust systems,” that infers that vulnerabilities still may exist in older systems.
JetBlue wasn’t alone in its apparent cyber vulnerabilities. The defendants — two of whom were apprehended while three others are still at large — also allegedly hacked into the networks of Nasdaq, Euronet, Visa, Global Payment Systems, Discover Financial Services, Ingenicard, 7-Eleven, JC Penney, Heartland, Wet Seal, Dow Jones, Carrefour, Hannaford Brothers, Commidea, and Dexia Bank Belgium.