TAP has recently been the victim of a cyber-attack, which was promptly reported to all the relevant authorities. TAP has been closely cooperating with authorities, in particular with the Portuguese Criminal Police and the Cybersecurity National Centre, on the investigation of these events since August 25. While TAP has immediately deployed the appropriate cyber security measures and procedures for this type of events with the support of an industry-leading international IT and forensic expert (Microsoft), the attackers had been able to illegitimately access personal data from some customers of TAP. The measures adopted made it possible to guarantee the availability and integrity of the data and the safe operation of all TAP systems.
Although cyber-attacks are a regular threat to many businesses, TAP immediately took containment and remediation measures to protect all owned or managed data. Regretfully, we want to inform that the following categories of personal data from some customers of TAP have been disclosed: name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. The information for each affected customer may vary. We are releasing this notice to make customers aware of this matter. There is no indication that payment data was exfiltrated from TAP’s network.
Disclosure of personal data through open sources may increase the risk of its illegitimate use, namely with the purpose of obtaining other data that may compromise digital systems to perpetrate fraud (phishing).
Although the access password for Miles&Go or customers’ reserved area is not among the personal data that was compromised, as a matter of precaution, we recommend checking the security conditions our customers use to access their reserved area, namely by using a strong password and changing it frequently. We also recommend customers to stay cautious of any unsolicited communications that ask for personal information and to avoid clicking on links or downloading attachments from suspicious emails. Please note that following this public announcement, TAP will not send direct messages on this subject to individual customers by any means.
We sincerely apologize to our affected customers that their personal data has been released and for any inconvenience it may cause. We would like to reinstate our commitment towards the protection of our customers’ personal data for which we are developing additional measures to continue reinforcing its security.
Below are FAQs about the event and further information that may be useful.
We thank you for your understanding!
What happened in detail?
In August, TAP Air Portugal (TAP) detected an unauthorized third-party access to certain IT systems. TAP was prepared for such a scenario and immediately set up a team of internal and external IT and forensic experts to thoroughly investigate and prevent further damage.
What have been the measures taken by TAP?
Cyber-attacks are a regular threat to many businesses and TAP was prepared for such a scenario. TAP immediately set up a team of internal and external IT and forensic industry-leading experts to thoroughly investigate and prevent further damage. All affected systems have been isolated and the cleaning of those systems promoted. The good news is: TAP operations were never affected – all TAP operations are running, safe and secure.
Specific measures taken by TAP include: deploying response and containment efforts with internal and external teams; deploying industry-leading experts for investigation and forensics; deploying an external team to support compromise recovery; and strengthening security measures in specific areas as a precaution.
Was TAP’s customers personal data secure?
The captured data was securely stored on TAP’s IT systems using appropriate organizational and technical measures based on usual standards for compliance with applicable legal requirements.
By what technical and organizational measures was TAP protected from such type of intrusions?
Measures implemented at TAP include: regular backups of data; use of antivirus; firewalls with IDS/IPS; e-mail protection tools; second factor of authentication; security patches; vulnerability scans; penetration testing; cybersecurity training, among others.
What impact does the disruption have on the operational business?
Thanks to the cyber security systems and quick actions by the internal IT team, the intrusion was contained in an early stage. Hence, no impairment of the operational processes occurred. Our customers can continue to safely travel with our airline.
Has data been leaked?
Unfortunately, personal data from some of our customers was illegitimately accessed by hackers and publicly disclosed. Information affected may include data such as name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. The information for each affected customer may vary. As for the moment, there is no indication that payment data was exfiltrated from TAP’s network.
Where was my data published?
The data was leaked on the attackers’ data leak site. Hackers operate such dedicated leak sites hidden in the “dark web”. The dark web describes a part of the World Wide Web that cannot be accessed via search engines such as Google or via commonly used web browsers. Instead, a special browser is required to access websites within the dark web.
What is happening with the stolen data?
Hackers have published the illegally obtained data on the dark web. Disclosure of personal data through open sources may increase the risk of its illegitimate use, namely with the purpose of obtaining other data that may compromise digital systems to perpetrate fraud (phishing).
What actions should I take?
Although the access password for Miles&Go or customers’ reserved area is not among the affected customer data, as a matter of precaution, we recommend you check the security conditions you use to access your reserved area, namely by using a strong password and changing it frequently. We also recommend you stay cautious of any unsolicited communications that ask for your personal information and avoid clicking on links or downloading attachments from suspicious emails.
How can I change my password?
Customer password may be changed at FlyTap website by selecting login at the top right of the page and choosing “Don’t remember/change my password”. A window to “recover/change my password” will pop-up for you to insert your email address. You will receive an email with a link to reset the password and register a new access password.