It’s never good when a boat operator talks about a breach, even if in this case it’s figuratively speaking.
Brittany Ferries has told some customers that an unexpected technical glitch occurred after “routine” maintenance of the website left their accounts wide open, potentially exposing very sensitive details to anyone who knows the associated email address.
The operator, which operates ships from the UK to ports in Spain and France, contacted gamblers on Tuesday with the bad news about a “breach of our data that may have an impact on my account with Brittany Ferries”.
“Despite our cyber vigilance and stringent security checks, I regret to confirm that your account protection settings were inadvertently changed between October 21 and November 2 this year,” said Ann-Laurie Faber, Brittany Ferries’ data protection officer.
On the second day of this month, she added, “We detected an error in the authentication process used for my account login details which means that any of my account can be accessed without the correct password. We tracked this error until October 21 while performing a routine website update. Once we discovered the error Our engineers and security team got down to business immediately, diagnosing and fixing the problem the same day it was discovered.”
British ferry unit arriving from Osterham, France in 2019
A spokesperson for Brittany Ferris said Reg A test procedure was omitted from the update process. “A quick patch applied the same day the issue was resolved. Procedures are now updated to ensure proper password checks are run every time the website is updated.”
The result? If someone knows the email address connected to the customer’s My Account portal, they can access that person’s name, postal address, phone number, reservation references for the past six months, passport number, date of birth, and nationality (if added in October or at early (this month).
Faber said she was confirmed by “experts” that “the risk of malicious interference is exceptionally low and there is certainly no evidence that your data has been compromised. I need to let you know that this happened and apologize accordingly.”
The data protection official added that it might be a good idea to update your password “just in case”.
One customer caught up in the breach told us he was “frustrated” that his passport data, which might be used to falsify his identity, could be accessed by unauthorized types, but that Brittany’s phrases “can’t authorize it” appears to have either actually happened. What happened to the registration requests? “
A company spokesperson told us that no customers have complained about access to their data. At least not yet. He confirmed that it was possible to reach about 25,000 customers details.
“Although I must repeat, the reason for the notification is prudence and good practice. We believe the probability of a malicious attack is virtually nil considering 1) we detected the issue 2) there is no indication that any kind of malicious external activity has been taken Venue 3) We quickly resolved the issue – and of course notified the authorities. In a message we advised all customers to change their password accordingly.”
We have asked the ICO for comment. ®