Encryption, Asia Pacific, Content

Southwest, Air France, KLM Leave Passenger Information Vulnerable to Hackers, Report Says

Southwest, Air France and KLM are among a group of eight airlines that don’t encrypt data on e-ticket booking systems, potentially exposing passengers’ personal information to hackers, a security provider’s researchers said.

While cyber attackers trolling the same network as a passenger could potentially corral the flyer’s booking and check-in details, the risk to users is actually greater than disruption: Bad actors could also access the user’s personal identifiable information (PII), including email, name and passport identification number, according to enterprise mobile security specialist Wandera’s researchers.

The affected airlines, which also includes smaller, regional carriers Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, apparently send unencrypted check-in links through their e-ticketing systems, Wandera said.

“Our threat researchers discovered that these airlines have sent unencrypted check-in links to passengers,” Liarna La Porta, Wandera global marketing senior manager, wrote in a blog post. “Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass,” she said. “A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in.”

The London, San Francisco, and Czech Republic-based Wandera said it first discovered the vulnerability last December. “Our threat research team observed that travel-related passenger details were being sent without encryption as one of our secured customers accessed the e-ticketing system of one of the airlines,” La Porta wrote.

Wandera has notified all the affected airlines, La Porta said. “Wandera has a strict responsible disclosure process that we follow in situations like this,” she said. “Once the affected vendor is notified, we will allow up to four weeks for the vendor to provide a patch or other relevant fix before we disclose the vulnerability to alert the public.”

It’s not clear if the airlines have fixed the security flaws. However, in response to Wandera’s public disclosure, the Dutch airline KLM and Air France group issued a statement denying its passengers’ PII was at risk to hackers. The airlines group also said a patch had been installed to fix the check-in flaw:

“The Air France-KLM group's databases are monitored in real time to identify and prevent any fraudulent access. There has been no hacking of airlines group databases.

An e-mail sent to the customers before their trip contains a link to the check-in process on the airlines' commercial websites. Fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation. Customer profile information, including sensitive information such as bank details, is fully protected.

IT teams immediately took the necessary steps and the update of the link sent to customers as part of the check-in process is effective.”

Late last summer, a flurry of data exposures hit the airline industry, most notably security incidents involving Air Canada and British Airways. In late August, Air Canada suffered a data breach that exposed personal information – including stored passport numbers – of some 20,000 users. At roughly the same time, British Airways suffered a data breach that exposed the account numbers and personal information of 380,000 of its customers.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.