 |
| Photo TAP |
TAP Air Portugal has confirmed it has been the victim of a massive data breach following a powerful hack that has left the personal details of around five million people, including those of Portuguese president Marcelo Rebelo de Sousa openly available on the dark web.
The airline confirmed it had recently been the victim of a cyber-attack, last week which caused the company to call in the relevant authorities. TAP says it has been closely cooperating with authorities, in particular with the Portuguese Criminal Police and the Cybersecurity National Centre, on the investigation of these events since 25th August, when the hack took place.
The attackers had been able to illegitimately access personal data from a large number of TAP customers, which could have very serious consequences for both the airline and the individuals concerned. The hackers were able to get and release on the dark web, the following items of personal data: full name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. At the moment, the airline says that payment/credit card numbers were not taken or at risk, however, the true depths of the hack may not yet be known.
TAP says it 'immediately took containment and remediation measures to protect all owned or managed data.' The fact that the data has been disclosed 'through open sources may increase the risk of its illegitimate use, namely with the purpose of obtaining other data that may compromise digital systems to perpetrate fraud (phishing).'
The airline said on its website "We sincerely apologize to our affected customers that their personal data has been released and for any inconvenience, it may cause. We would like to reinstate our commitment towards the protection of our customers’ personal data for which we are developing additional measures to continue reinforcing its security."
Award-winning security blogger Graham Cluley, posted that TAP was attacked by the notorious Ragnar Locker gang who posted the details online and claimed that the data taken from the airline was not encrypted and was stored on public servers in clear text.
