Cyber Incident Victim: Air New Zealand

On or around October 28, 2022, Air New Zealand disclosed an ongoing credential stuffing attack targeting customer accounts. Threat actors leveraged automated tools and lists of previously compromised usernames and passwords to attempt unauthorized access to Airpoints accounts. Credential stuffing exploits reused login credentials across multiple services, allowing attackers to bypass authentication without directly breaching the airline’s systems. Air New Zealand’s chief digital officer, Nikhil Ravishankar, confirmed the attackers did not compromise corporate networks or infrastructure. The incident impacted a limited number of customer accounts, with no evidence of fraudulent transactions or unauthorized access to sensitive personal or financial data. Upon detecting the suspicious login attempts, Air New Zealand promptly locked the affected accounts to prevent further exploitation. The company initiated direct communication with impacted customers, instructing them to reset their passwords before reactivating Airpoints access.

The breach underscored risks associated with password reuse and insufficient credential hygiene. Ravishankar emphasized that compromised credentials originated from external sources unrelated to Air New Zealand’s security posture. Customers were advised to update passwords not only for their Airpoints accounts but also for any other services sharing the same credentials. The airline highlighted the absence of multi-factor authentication (MFA) adoption and infrequent password updates as contributing factors to the attack’s success. No operational disruptions or system outages occurred, as the incident remained confined to individual account compromises. Air New Zealand’s response focused on containment through account lockdowns, customer notifications, and public guidance to strengthen authentication practices across all online accounts. The company maintained that its internal systems remained secure throughout the incident.