Two hackers have scored a million frequent-flier miles each on United Airlines for finding security holes in the airline’s computer systems.
The awards were made under a security program that United started in May. Technology companies have offered so-called bug bounties, but they are unusual in the transportation industry.
United spokesman Luke Punzenberger said Thursday that two people have received the maximum award of 1 million miles each and others got smaller awards. A million miles is enough for several first-class trips to Asia or up to 20 round-trips in the U.S.
Punzenberger declined to say what kinds of flaws the hackers found but said their information had been turned over to company researchers. “We’re confident that our systems are secure,” he said.
United has suffered several major problems with technology systems since 2012, when it switched passenger-reservations and other systems over to those that had been used at its smaller merger partner, Continental Airlines. Last week, all United flights were briefly grounded and more than 1,000 delayed after one such breakdown, which the airline blamed on a faulty computer router. A smaller outage occurred in June.
Airlines “take all necessary precautions” to keep customer data secure, and most if not all have internal programs that continuously check systems for intrusions, said Jean Medina, a spokeswoman for the industry trade group Airlines for America. She said, however, that the group isn’t aware of any other airline offering a bug bounty.
Bounties are common in the tech world. Companies use them to enlist so-called white-hat hackers with enough specialized skill to spot security gaps before cybercriminals use them to steal customer information or crash websites.
Chris Petersen, chief technology officer and co-founder of LogRhythm, a Boulder, Colo.-based security intelligence company, said bug bounties are growing in popularity, as companies race to shut all the backdoors into their systems before the black-hat hackers find them.
But there just aren’t that many people out there with the needed abilities.
“It’s very specialized and there aren’t that many people (who) are very good at it,” Petersen said. “Those that are, are very expensive to hire.”
Google, Yahoo, Microsoft and others publish bounty rules on their sites.
Facebook, for example, asks hackers for “reasonable time” before going public with their findings. It promises not to sue or call law enforcement on tipsters if they do their best to avoid privacy violations and service interruptions during their research.