Liarna LaPorta of Wandera reports:
Wandera’s threat research team has discovered a vulnerability affecting a number of airline e-ticketing systems that can expose passengers’ personally identifiable information (PII). This vulnerability can expose passenger data by using links that are easily intercepted by hackers. The intercepted and unencrypted links enable unauthorized third parties to view, and in some cases even change, a user’s flight booking details, and/or print their boarding passes.
According to their researchers, some airlines that send unencrypted check-in links through e-ticketing systems include:
- Southwest (world’s largest low-cost airline, HQ in the US)
- Air France (major carrier in France)
- KLM (major carrier in the Netherlands)
- Vueling (low-cost airline in Spain)
- Jetstar (low-cost airline in Australia)
- Thomas Cook (British charter airline)
- Transavia (Dutch low-cost airline)
- Air Europa (third largest airline in Spain)
The firm notified the airlines and federal government of its findings. As of its February 6th public report, only one of the airlines, Air France-KLM, had issued a statement in response to the allegations.
You can read more on Wandera’s blog, but the fact that Thomas Cook is on their list may raise a few eyebrows. Thomas Cook Belgium had allegedly been hacked in 2014 by Rex Mundi, and as recently as July, 2018, the airline was again in the news about a vulnerability that they had not disclosed to customers:
Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines’ systems using only a booking reference number. Simply changing the booking number unveiled a new set of customer details.
The exposed info covered trips booked through the travel agency Ving, which is owned by Thomas Cook.
How many times does an airline get to have its name linked to data security breaches or vulnerabilities before some regulatory hammer falls?