Cyber Incident Victim: Air New Zealand

On or around August 9, 2019, Air New Zealand disclosed a phishing incident involving unauthorized access to two staff email accounts, potentially exposing customer information. The airline notified members of its Airpoints loyalty program—estimated at approximately 2 million enrollees—that attackers gained access to internal documents containing personal information through compromised employee accounts. While the breach did not affect Airpoints account passwords, credit card details, or direct access to loyalty program accounts, membership profile information stored in internal documents was potentially visible to the threat actors. Air New Zealand’s Regional General Manager for Loyalty & Customer Direct, Jeremy O’Brien, communicated via email that the company secured the compromised accounts upon discovering the phishing attack and initiated an investigation to determine the extent of data exposure and the attackers’ methods. The incident prompted immediate containment measures, though the airline did not publicly specify the exact number of affected customers or the precise types of personal data involved beyond general references to membership profiles.

Air New Zealand’s response included reinforcing security protocols to prevent future incidents, though no technical specifics were disclosed. The company advised customers to remain vigilant for phishing emails in subsequent months and recommended monitoring bank statements and online accounts for signs of identity theft. Customers were directed to CERT NZ’s resources for guidance on mitigating identity theft risks. The breach highlighted operational vulnerabilities in staff email security but did not disrupt Airpoints program functionality or financial systems. No further details regarding the investigation’s findings, attacker attribution, or regulatory repercussions were disclosed in the available source material.