Home > Identity Theft > Does Your Airline Really Understand Data Security?

Comments 0 Comments

A friendly reminder to organizations in regular communication with the public: You never know who John Q. Public is; for example, it could be me—Adam K. Levin. (Not to be confused with the singer of the almost same name—Adam Levine.) But there are a bunch of Adam Levins, which is why my middle name (Kenneth) and initial (K) actually matter.

Here’s the short version of my recent saga with American Airlines. The name on my ticket (where middle names count) didn’t match the name on my rewards program (no middle name). Because of this incongruity, there were several instances when my mileage didn’t get credited to my frequent-flier program, and I decided it was high time to bring my rewards name into congruity with my TSA-required name. So I contacted American Airlines to set the record straight.

Far from rolling out a Maroon 5 carpet, they were doing the responsible thing—making sure that my “K” was really was mine, confirming what it stood for, and that it was also recognized by a government agency. Specifically, they wanted “legal documentation supporting the name, gender or birth date update.” So, in addition to my AAdvantage number, I was told to provide one of the following: marriage/divorce certificate or other “Name Change document;” “one government-issued ID that includes BOTH the current name on the account and the new name” (hard to visualize that ID), or “two government-issued IDs, one in the current name on the account and the other in the new name.”

As if the documentation wrangling required were not issue enough, there was another problem. They were asking me to do something that, in my professional life, I tell people never to do, because data security is my thing.

The email I received said: “If you wish to email this documentation back to us, simply reply to this email…. Attach a copy of your documentation…..”

When I saw the words “attach a copy of your documentation” mentioned in the same paragraph with the word “email,” my first reaction was: “Houston (or actually Fort Worth), we have a problem.”

There were no instructions regarding passwords or registration/authentication for secure email. It was clearly not a secure system like Zix or others, which require authentication and a password to both send and receive encrypted information on an https platform. This was simply plain old email.

Now for those of you who have day jobs that are not in the data security world, email — or rather a deft use of it as delivery system for malicious code — has exposed many a corporate database or home computer to cyber and identity thieves. Email isn’t safe.

So, I did what any data security columnist would do. I reached out to a media relations representative at American. I was assured that email was secure.

We still had a problem.

Regarding the kind of email that I had received, I was told, “When members reply to this email it remains within the secure email system; however, we do offer a fax option for members who prefer that method. All correspondence coming from and replied to this AAdvantage Customer Service email address is sent through a secure system, so only authorized American representatives can view these messages.”

I’m going to say it again: A secure system requires a password and authentication.

I asked if the company had a CISO (i.e, a Chief Information Security Officer). The communications representative didn’t know. I asked a series of questions that only a CISO or Chief Information Officer could answer, and the rep said she had to see if it would be possible to ask American’s CIO a few questions.

I next received this:

Unfortunately, we cannot get our CIO on the phone today but I can confirm we have a CIO and CISO that work for our organization. Please see our statement below and thank you again for your patience.

We take data security and privacy of our customers very seriously.  To verify this customer’s request to change a name previously provided to us on a booking, we required the submission of the types of identification asked for in our email response to the customer. Only previously authorized American Airlines representatives are allowed to access the information transferred to us by the customer.

To confirm the identity of inquiring customers, we require that customers call us or log into their AAdvantage account to submit a query, to which our representatives respond through our secure system to the customer’s email address provided. Once the customer emails these documents back to us, that email and the attached documents are verified by our system and stored in a protected email server to which only our customer representatives have access.

If the customer wishes to provide us with the information via alternate means, such as fax, they are able to do so.

However, we are constantly evaluating our practices to better ensure our customers’ data privacy and security, and we thank you for bringing this issue, which we are continuing to investigate, to our attention.  We have plans in the near future to enable customers who have logged in on aa.com to upload documents directly into our secure system as another alternative to providing documents to us.

Follow-up questions regarding the CISO and their best practices — there is someone on LinkedIn who lists CISO at American Airlines as his current employment — went unanswered.

Contrast this with the conversation I had with a communications department rep at United Airlines, who immediately knew not only that the company had a CISO, but told me that United only accepted customers’ supporting evidence for documentation of the kind I was asked to give in a secure https environment. No email allowed.

Generally speaking, if your company has a CISO, you know it. They train you until you can be trained no more and then train you again. They demand that you change passwords often. They ask you to install things on personal devices. They insist on strong authentication systems. They make logging into WiFi networks much harder than you thought humanly possible. They are a demanding lot. They must be. Their responsibilities go far beyond making sure that the network works. Their mission is to ensure that data is safe in a world where databases are under attack 24/7. If no training and nonexistent technology architecture are part of the problem, the work a CISO does is generally part of the solution.

There are some solid strategies for organizations looking to get into better data security shape. In my forthcoming book on identity theft and cybersecurity, I talk about CyberEdge CEO Steve Piper’s prescription for a behavior change that needs to occur: we need to ask the right questions. Here are a few of them:

  1. Is there a security technology we have overlooked?
  2. Have we made enough investment in employee security awareness?
  3. Do we have the ability to decrypt Secure Sockets Layer (SSL) traffic to find hidden threats?
  4. Are we properly monitoring privileged user accounts?
  5. Are we doing the right things to reduce our attackable surface?

This last question begs a million others. Your attackable surface is as changeable as technological advances, which means what is safe today may no longer be secure tomorrow morning.

For more best enterprise-level cybersecurity practices, read this.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team