Ant Timpson got a fright to discover his FlyBuys had been stolen, cameras purchased and the goods sent to a notorious Auckland address. He rejects claims he’s fallen for a phishing scam.
A week or so ago Ant Timpson, an Auckland producer who has worked on films like The Greasy Strangler and The ABCs of Death, was reading a Fly Buys mailer when he thought to check just how many points he’d accumulated after spending around $20,000 on recent travel.
Timpson opened his computer. The account was still logged in, but Timpson’s details had been changed, his account’s email now ended in the Russian domain .ru, and his passwords had been compromised. His points were gone, exchanged for a high end Canon camera in late October and delivered to a notorious boarding house in central Auckland, addressed to one Raymond Nightingale.
The only Auckland-based Raymond Nightingale that emerged in searches died in 2015.
“I could see what they’d bought,” said Timpson. “And even the name, but I couldn’t kick them out of the account.”
On Monday, when the call centre opened, Timpson called Fly Buys. They were oblivious.
“This clearly hadn’t happened before and they had no idea what was going on,” said Timpson.
When The Spinoff put that to Fly Buys, a representative suggested Timpson had been the victim of a phishing scam, which only affected just a tiny minority of customers.
“Fly Buys became aware of a potential phishing email yesterday afternoon and we immediately contacted the affected members and froze their accounts,” said David Webb, loyalty NZ chief operating officer, on Tuesday. “This incident is not because of any vulnerability of our website or our security protocols.”
But phishing schemes don’t typically have any local, on-the-ground connection. And Timpson maintains he never received anything that could constitute a phishing attempt beyond official Fly Buys communications.
“I’m naturally incredibly suspicious of scams like that,” he said. “Even when I got the emails from Fly Buys informing me my credentials had been changed and asking me to click the link to reset them, I was like ‘no, fuck that’.”
Fly Buys maintain the vulnerability is on the user end, but concede they don’t understand exactly what is happening, how many people may be affected, or how how many points fraudulently redeemed.
“All of the information available to us indicates the account holders have lost control of their account,” said David Higgins, loyalty NZ information security manager. “We haven’t had any kind of data breach or hacking on our platform that has lead to customer information being disclosed.”
“Part of our ongoing investigation is understanding what was the trigger that leads to these compromised accounts.”
Fly Buys said the matter has been referred to police and the government’s Computer Emergency Response team.
“We’ve started an investigation with the police which is ongoing. We were made aware of this on Monday afternoon and we have been working fully since then how we can help the members who we have been able to confirm are impacted by this, and also to see if there are members who are not aware if they have been impacted.”
Police said they were unaware of any reports of stolen Fly Buys goods, and refused to comment on the delivery address out of privacy concerns. Occupants of the Auckland address did not respond to requests for comment.
Timpson said he was concerned at the lack of information, and said he was not convinced Fly Buys had fully grasped what was happening.
“It’s pretty shoddy. It’s been really bad communication, and it’s disappointing because I don’t know how bad it is. I don’t care about the camera, but what the hell actually happened? How much of my information is now out?
“I like helping the less fortunate, but there’s probably a better way to do it.”
The Spinoff’s business section is enabled by our friends at Kiwibank. Kiwibank backs small to medium businesses, social enterprises and Kiwis who innovate to make good things happen.
The Spinoff Daily gets you all the days' best reading in one handy package, fresh to your inbox Monday-Friday at 5pm.