A clearly visible copy of a passenger's passport is among hundreds of documents obtained by The Korea Times from Asiana Airlines' website. An estimated 47,000 scanned personal documents, including resident registration numbers, passport information, home addresses, bank accounts, phone numbers and family relations records, are believed to have been left unsecure on the website. / Korea Times photo by Park Si-soo



By Park Si-soo, Lee Han-soo

Tens of thousands of items of sensitive passenger information have been leaked on the Internet in a large-scale private data breach against Korea's second-biggest airline, Asiana Airlines.

The information includes citizen resident numbers, passport information, home addresses, bank account details, phone numbers and family relations records. The information, saved on the company's website (flyasiana.com) for the past several years, is believed to have been compromised.



Victims are Koreans and foreigners who traveled or will travel using Asiana or its affiliated airlines, such as United Airlines, Lufthansa, Thai Airways, Singapore Airlines and Scandinavian Airlines, among others.



The Korea Times was able to access hundreds of scanned private documents belonging to customers. They are part of an estimated 47,000 documents believed to have been compromised.

The oldest document obtained by The Korea Times is a flight ticket invoice issued in September 2014. But it is possible the leak extends farther. It is unknown whether the data has already fallen into criminal hands.

Computer engineers who analyzed the exposed data and the way it was accessed said the scanned documents appear to have been attached to customers' query emails to Asiana.

Asiana temporarily shut its server for the Frequently Asked Questions (FAQ) section following the report on the leak and launched an investigation into the case.

"Customers' information that has been saved on the FAQ server since May 2015 seems to have been compromised," Asiana said in a statement. "An investigation is underway to verify the scope of compromised data."

The prosecution and the Korea Internet and Security Agency have launched a respective investigation into the matter.



A foreign computer engineer who first drew attention to the security loophole said: "No hacking skills were required to retrieve it. Just basic knowledge of web development."

Computer engineers here echoed the view, saying Asiana's website security was "extremely poor." They said this was a clear violation of the Personal Information Protection Act, which requires companies handling personal data to store it securely.

"It's evident that there were security loopholes on Asiana's website," said a computer engineer who examined the leaked documents.

"If malicious hackers learned how to access it, they would have been able to steal tens of thousands of copies of private information in seconds using a data-collecting program that is readily available online."

Asiana has built the websites of its two low-cost carrier affiliates ― Air Busan and Air Seoul ― with a similar technical framework.