A friendly reminder to organizations in regular communication with the public: You never know who John Q. Public is; for example, it could be me—Adam K. Levin. (Not to be confused with the singer of the almost same name—Adam Levine.) But there are a bunch of Adam Levins, which is why my middle name (Kenneth) and initial (K) actually matter.
Here’s the short version of my recent saga with American Airlines. The name on my ticket (where middle names count) didn’t match the name on my rewards program (no middle name). Because of this incongruity, there were several instances when my mileage didn’t get credited to my frequent-flier program, and I decided it was high time to bring my rewards name into congruity with my TSA-required name. So I contacted American Airlines to set the record straight.
Far from rolling out a Maroon 5 carpet, they were doing the responsible thing—making sure that my “K” was really was mine, confirming what it stood for, and that it was also recognized by a government agency. Specifically, they wanted “legal documentation supporting the name, gender or birth date update.” So, in addition to my AAdvantage number, I was told to provide one of the following: marriage/divorce certificate or other “Name Change document;” “one government-issued ID that includes BOTH the current name on the account and the new name” (hard to visualize that ID), or “two government-issued IDs, one in the current name on the account and the other in the new name.”
As if the documentation wrangling required were not issue enough, there was another problem. They were asking me to do something that, in my professional life, I tell people never to do, because data security is my thing.
The email I received said: “If you wish to email this documentation back to us, simply reply to this email…. Attach a copy of your documentation…..”
When I saw the words “attach a copy of your documentation” mentioned in the same paragraph with the word “email,” my first reaction was: “Houston (or actually Fort Worth), we have a problem.”
There were no instructions regarding passwords or registration/authentication for secure email. It was clearly not a secure system like Zix or others, which require authentication and a password to both send and receive encrypted information on an https platform. This was simply plain old email.
Now for those of you who have day jobs that are not in the data security world, email — or rather a deft use of it as delivery system for malicious code — has exposed many a corporate database or home computer to cyber and identity thieves. Email isn’t safe.
So, I did what any data security columnist would do. I reached out to a media relations representative at American. I was assured that email was secure.
We still had a problem.
Regarding the kind of email that I had received, I was told, “When members reply to this email it remains within the secure email system; however, we do offer a fax option for members who prefer that method. All correspondence coming from and replied to this AAdvantage Customer Service email address is sent through a secure system, so only authorized American representatives can view these messages.”
I’m going to say it again: A secure system requires a password and authentication.
I asked if the company had a CISO (i.e, a Chief Information Security Officer). The communications representative didn’t know. I asked a series of questions that only a CISO or Chief Information Officer could answer, and the rep said she had to see if it would be possible to ask American’s CIO a few questions.
I next received this:
Unfortunately, we cannot get our CIO on the phone today but I can confirm we have a CIO and CISO that work for our organization. Please see our statement below and thank you again for your patience.
We take data security and privacy of our customers very seriously. To verify this customer’s request to change a name previously provided to us on a booking, we required the submission of the types of identification asked for in our email response to the customer. Only previously authorized American Airlines representatives are allowed to access the information transferred to us by the customer.
To confirm the identity of inquiring customers, we require that customers call us or log into their AAdvantage account to submit a query, to which our representatives respond through our secure system to the customer’s email address provided. Once the customer emails these documents back to us, that email and the attached documents are verified by our system and stored in a protected email server to which only our customer representatives have access.
If the customer wishes to provide us with the information via alternate means, such as fax, they are able to do so.
However, we are constantly evaluating our practices to better ensure our customers’ data privacy and security, and we thank you for bringing this issue, which we are continuing to investigate, to our attention. We have plans in the near future to enable customers who have logged in on aa.com to upload documents directly into our secure system as another alternative to providing documents to us.
Follow-up questions regarding the CISO and their best practices — there is someone on LinkedIn who lists CISO at American Airlines as his current employment — went unanswered.
Contrast this with the conversation I had with a communications department rep at United Airlines, who immediately knew not only that the company had a CISO, but told me that United only accepted customers’ supporting evidence for documentation of the kind I was asked to give in a secure https environment. No email allowed.
Generally speaking, if your company has a CISO, you know it. They train you until you can be trained no more and then train you again. They demand that you change passwords often. They ask you to install things on personal devices. They insist on strong authentication systems. They make logging into WiFi networks much harder than you thought humanly possible. They are a demanding lot. They must be. Their responsibilities go far beyond making sure that the network works. Their mission is to ensure that data is safe in a world where databases are under attack 24/7. If no training and nonexistent technology architecture are part of the problem, the work a CISO does is generally part of the solution.
There are some solid strategies for organizations looking to get into better data security shape. In my forthcoming book on identity theft and cybersecurity, I talk about CyberEdge CEO Steve Piper’s prescription for a behavior change that needs to occur: we need to ask the right questions. Here are a few of them:
- Is there a security technology we have overlooked?
- Have we made enough investment in employee security awareness?
- Do we have the ability to decrypt Secure Sockets Layer (SSL) traffic to find hidden threats?
- Are we properly monitoring privileged user accounts?
- Are we doing the right things to reduce our attackable surface?
This last question begs a million others. Your attackable surface is as changeable as technological advances, which means what is safe today may no longer be secure tomorrow morning.