PASSENGERS travelling with one of 141 international airlines could have lost their seats or had their miles stolen following a security breach with a ticket booking system.
The breach was attributed to the Amadeus ticket booking platform, which is used by airlines including British Airways, Qantas, Lufthansa and Air Canada.
The breach, discovered by Noam Rotem at the Safety Detective Research Lab, meant flight details of potentially any passenger booking through the platform were vulnerable to hackers.
Noam discovered the issue while booking his own flights.
After receiving a link to access his own booking, he found that it was easy to gain access to the details of any passenger with a booking – all he needed was to change the “RULE_SOURCE_1_ID” – a code embedded in the back end of the website – and the passenger name record (PNR).
And as airlines don’t always encrypt information sent to their customers, Safety Detective’s Paul Kane said that they were “able to find PNRs of random customers, which included all of their personal information.”
The breach allowed the team to gain access to the passenger’s name and flight information, meaning they could log into random people’s accounts on airline websites and make any changes they wanted.
This includes seat reservations, email addresses, phone numbers, frequent flyer points and flights, which could have been changed or even cancelled.
With flight bookings easily accessed, it could have resulted in chaos for potentially millions of travellers, according to Safety Detective.
The breach has since been fixed according to Paul, and there has not currently been any reports of stolen data.
An Amadeus spokesperson said: “At Amadeus, we give security the highest priority and are constantly monitoring and updating all of our products and systems. We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed.
We can confirm that Amadeus has not detected any data breach and that no data from travelers was disclosed. We regret any disruption this situation may have caused.”
“We work together with our customers and partners in the industry to address PNR security overall. The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale. Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration”.
Last year, 380,000 British Airways customers had their bank details stolen after the website was hacked.
The stolen data included personal and financial information, not travel or passport details.
PNRs are also easy to find from social media – many travellers still post images of their boarding passes online which contain their personal details.
A previous experiment revealed how easy it is to gain access, after Steve Hui from iflyflat.com.au used a boarding pass posted online to quickly find all of the booking details of the anonymous flyer.