๐Ÿ”’breach.co.nz ยท the NZ & Australia breach register ๐Ÿ›ก๏ธ A Govern service
Register โ€บ ๐Ÿ‡ณ๐Ÿ‡ฟ NZ โ€บ Other

Air New Zealand โ€” Airpoints

๐Ÿ‡ณ๐Ÿ‡ฟ Auckland ยท Air New Zealand ยท Record NZ-2021-0037
โ—‹ Reported โ€” awaiting official confirmation
Reported โ€” awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2021-03
Regulator
NZ Privacy Commissioner
Trust tier
B ยท Reported

Data exposed

Airpoints member account details (names, contact and loyalty information) Media-reported

Confidence: Confirmed = regulator/court ยท Company-confirmed = the organisation's own disclosure ยท Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In March 2021 Air New Zealand notified Airpoints members of a credential-stuffing attack in which a third party used stolen credentials from elsewhere to access a number of member accounts [rnz-airnz]. The airline locked affected accounts and forced password resets. The number of accounts accessed was not precisely disclosed and is not estimated here.

Timeline

  • 2021-03 โ€” Air NZ disclosed the Airpoints credential-stuffing attack [rnz-airnz].

Current status

Resolved; affected accounts secured. Figures are as reported. [rnz-airnz]

Why it matters

A classic credential-stuffing case โ€” reused passwords, not an Air NZ system flaw, were the way in.