EasyJet, Chiltern Railways and Aer Lingus didn't encrypt credit card data, says security firm

EasyJet, Chiltern Railways and Aer Lingus, among the major players in the UK who process thousands of credit card payments every day, could be running flawed mobile sites that haven't encrypted credit card information of users, says Wandera, a mobile security firm.

While making payments through credit cards and NFC is quick and easy, it is also quite simple for some to conduct identity fraud or use your credit card information for their own purchases or even sell your personal information for a quick buck.

VTech, digital toymaker HACKED! 190GB of photos hacked into!

Wandera conducted an investigation two weeks ago which identified 16 companies that put customer information at risk by not encrypting such data. Apart from credit card information, these companies also placed users' names, addresses and transaction information at risk as well.

"We started investigating our data because we wanted to see if there was any sign of any credit card information. We actually found lots of unencrypted credit card information that has been going through our service, which means that a variety of these sites we believe have not coded their mobile websites correctly.

Government plans to end device encryption will hurt you, says Tim Cook

"What we are talking about here is complete credit card information with the three-digit code, and expiry date, and in some cases passport information, car registrations, addresses, phone numbers. But the common factor is complete credit card information.

"It's an HTTPS problem so the traffic from particular parts of their mobile websites is being unencrypted. Whether it's bad coding, certificate misconfiguration or lack of testing, I can only hypothesise but we believe it's probably an oversight on their part due to complexity," said Eldar Tuvey, chief executive and co-founder at Wandera to V3.co.uk.

Your web browsing history will soon be recorded by the Government

EasyJet, Chiltern Railways and Aer Lingus have reacted strongly to Wandera's findings, claiming that their customer information is fully encrypted, even though Chiltern Railways appeared to be a bit more accommodating.

EasyJet have now given us a statement about the allegations by Wandera:

"All passenger data is transmitted using HTTPS encryption and we have retested all our mobile channels overnight in light of Wandera’s claims and can confirm that this is the case. In addition, no easyJet customers have reported payment security issues based on their use of the easyJet app.

Our security experts have contacted Wandera and they are yet to provide us with sufficient information to validate their claims. We still don’t know very much about what they may or may not have found – for instance we don’t even know when they claim this happened and therefore there is no support for their claim that this is ongoing (“is being transmitted unencrypted”).

Our customers are always our priority and as you would expect easyJet takes the security of their data extremely seriously. We use the latest technology alongside regular audits to test our systems to ensure our customers’ data remains protected. If we are ever made aware of an issue we investigate it thoroughly and act on it immediately."

Hackers: 1; Geeks: 0: Cyber attack stalls Oxford, Cambridge servers

"Having contacted Wandera and investigated the matters they raised we are confident that their concerns are unfounded," said an Aer Lingus spokesperson.

"We are grateful to Wandera for raising this issue. As it happens, we had already identified this issue through our internal processes. We are confident that no customers' data has been compromised and our supplier has already put in place a full fix to ensure that the theoretical risk is eliminated. We take the security of our passengers' data very seriously, as you would expect, and constantly test our systems," said Thomas Ableman, commercial director at Chiltern Railways.

 

Leave a Comment