Virgin America recently began notifying 3,120 of its employees and contractors that their user names and passwords may have been accessed by hackers, The Register reports.
A company spokesperson told The Register that in 110 cases, victims’ addresses, Social Security numbers, driver’s license or government issued ID numbers, and/or health-related information may also have been accessed.
In response, the spokesperson said, the company has implemented additional security measures and is now requiring all employees and contractors to change their passwords every 90 days.
In a letter [PDF] to those affected, company vice president and general counsel Kyle Levine stated that “potential unauthorized access to certain Virgin America computer systems” was detected during routine security monitoring on March 13, 2017.
“We immediately took steps to respond to the incident, including initiating our incident response protocol and taking measures to mitigate the impact to affected individuals,” Levine wrote. “We retained cybersecurity forensic experts to investigate the incident and reported the matter to law enforcement.”
“Nevertheless, it appears that a third party may have accessed information about certain Virgin America employees and contractors without authorization,” he added.
Post-Merger Security Concerns
Exabeam CEO Nir Polak told eSecurity Planet by email that the timing of the breach, right after Virgin America’s merger with Alaska Airlines, is worth noting.
“In the chaos of post-merger integration, it can be easier to hack a company’s systems,” Polak said. “Everything is changing and the buyer doesn’t necessarily know a lot about the IT systems and users in the company it has acquired.”
In fact, a recent survey of 100 senior global executives by West Monroe Partners and Mergermarket found that fully 52 percent of respondents said they had discovered a cyber security problem after a deal closed, a signifcant jump from 40 percent in a similar survey last year.
Among corporations, the survey found, the top three reasons deals fail are cyber security concerns (23 percent), financial and tax issues (23 percent), and problems with compliance (18 percent).
Robert Capps, vice president and authentication strategist at NuData Security, said by email that the Virgin breach highlights the need for companies to focus on new types of authentication methods.
“Changing passwords is a Band-Aid,” he said. “The approach needs to be to the root of the issue — the data the hackers are going after.”
The industry as a whole, Capps said, has to strive to make stolen information valueless to hackers by implementing multiple layers of security, including passive biometrics, behavioral analytics, physical biometrics, two-factor authentication and more. “If one authenticating piece of data is compromised, another one will take its place,” he said.
“While hackers continue to use stolen credentials, their actions could be stopped by through behavioral and biometric analyses,” Capps added. “As hard as cyber criminals may try, they cannot mimic the exact behavior of the customer.”