PhotoA bug has been detected in British Airways e-ticketing system which could expose a passenger’s personal data.

Researchers at Wandera, a mobile security firm, uncovered the bug below the surface of emailed check-in links sent by British Airways to passengers. Wandera’s team told Threatpost that they calculate 2.5 million connections were made to affected British Airways domains over the past six months, calling the potential impact “significant.”

British Airways’ intentions were good; the company hoped to streamline the user experience. But the researchers say the company left links in its emails unencrypted, which means that passengers’ booking reference numbers, phone numbers, and email addresses could be looted by a cyber criminal. 

“Someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information,” wrote Wandera’s Liarna La Porta in her analysis of the issue.

In total, La Porta claims there were 11 pieces of personal data potentially exposed:

  • Email Address

  • Telephone Number

  • British Airways Membership Numbers

  • First Name

  • Last Name

  • Booking Reference

  • Itinerary

  • Flight Number

  • Flight Times

  • Seat Number

  • Baggage Allowance

Wandera claims that it discovered a similar check-in link vulnerability earlier this year with eight other major airlines: Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia. The firm says it notified each airline and urged them to “take action to secure the check-in links.”

British Airways responds

In a statement to ConsumerAffairs, British Airways said that Wandera's finding could be driven by business interests.

“Wandera sells security solutions to corporate clients. Their research is created to drive revenue,” a company representative said.

The company reiterated that no passport or payment information was accessed as part of the breach, and that it has multiple systems in place to protect its customers.

Anything a consumer can do?

There’s not much an airline passenger can do in scenarios like this. Most of the burden is really on the airlines since the issues are technical.

The one thing Wandera says a consumer should consider is installing an active mobile security app to monitor and block data leaks and phishing attacks.


Share your Comments