More information on the technical malfunction of the Miles & More Website
Status: 13 December 2019
What malfunction occurred on the Miles & More website and which members were affected?
On Monday, December 9, 2019 from 4.00 p.m. to 4.40 p.m. (CET), there was a technical malfunction logging in to the Miles & More website. Miles & More members who were logged in during this specific time window were able to view accounts of other members and were able to make changes. Miles & More reacted as quickly as possible and deactivated the login function.
In total, data from 9,885 Miles & More accounts was retrieved and displayed on the website during this period. This data was partly displayed to the account holder and partly to other participants logged in at the same time. 4,100 participants actively logged in at the time, some more than once. The additional accounts were those of permanently logged in members. The maximum of 9,885 members affected were informed of the incident by Miles & More.
Miles & More members who were not logged in to the Miles & More website between 4.00 p.m. and 4.40 p.m. (CET) are not affected by the incident. Similarly, other systems outside the Miles & More website (e.g. Miles & More App or LH.com) are not affected.
If irregularities have occurred in individual cases on the affected participant accounts, Miles & More will identify them and correct them as quickly as possible. In addition, it will be ensured that the affected members do not lose any miles illegally.
What account data was potentially visible?
The following data was viewable: Name, service card number, date of birth, address, email, telephone number, username, mileage, transaction data, travel preferences (departure airport and automatic check-in), consents for advertising and preferred language settings. Bank account and credit card data could not be viewed. Only the last four digits are displayed in the profile. This is completely unusable for card abuse. A separate password/PIN is also required for potential changes. Accordingly, no access to bank accounts or credit cards was possible.
Has there been a hacker attack on Miles & More that caused this error?
No, there are currently no signs of a hacker attack.
How secure is data at Miles & More?
Data protection has highest priority at Miles & More GmbH and is subject to the requirements of the safety organization of Lufthansa Group. Group Privacy fulfils the tasks defined by law and monitors compliance with data protection regulations within the Lufthansa Group. In doing so, we are guided by the globally recognized industry standards ISO 27001 and 27002. Trust is at the core of our loyalty program. Without maximum data protection and sensitivity in dealing with data, this trust would be jeopardized.
We always comply with the requirements of the German Federal Data Protection Act and the General Data Protection Regulation. Personal data of our members is stored by us exclusively in Germany. There is no question that we fully comply with all legal requirements relating to the handling of data.
In addition, the Miles & More GmbH has installed a comprehensive security concept, a so-called fraud management, which identifies irregularities as quickly as possible and immediately initiates countermeasures – as happened in the present case.
Miles & More is already in contact with the data protection authorities regarding the incident. We ask for your understanding that for security reasons we cannot provide detailed descriptions.
For safety reasons, Miles & More advises the affected participants to change their login details.