Last Sunday, I received a picture that showed personal information about an individual named Bhanumatee Soornack. I initially thought it referred to Ms Nandanee Soornack who currently faces money laundering charges in Mauritius while an extradition request is under review in Italy. The picture was most apparently taken using a mobile phone and it shows a terminal screen that would not be accessible to non-staff personnel. The data was consequently leaked by an Emirates employee who explicitly gave permission to a third-party to share it, if he wishes to.
It is a common misconception that data breaches occur mainly due to cyber criminals compromising a system, but more often than not, it is due to sheer stupidity or lax security. In many of similar cases, the breaches were put down to poor data security practices or simple errors.
Obviously, I was very concerned about this data breach and emailed Emirates to find out more. I was particularly interested in their comments on how they are handling this situation. Certainly, a large company like Emirates, should have protocols in place, should this kind of situation arise.
My questions were simple and straightforward. I wanted to know about their policies in place to prevent such situation from happening. I have no means to know about their internal policies. Is there any policy restricting the use of mobile phones to employees? Are there restrictions in passenger details being shared with any third-party (be it a family member, a friend etc)? The said picture was sent over the Internet and at the time of writing, several copies of the picture must be residing on cache servers.
I contacted Emirates to have their version of the story and get answers to above questions. I introduced myself as a Mauritian blogger particularly interested in privacy breaches involving Mauritian citizens. Unfortunately, I did not receive any reply from them and this is even more worrying.