Your Personal Data Was Potentially Exposed by a Flaw in 140+ Airlines' Software
Most travelers know not to share un-masked photos their boarding passes online. By scanning the barcode or just reading the name and reservation number off the boarding pass, anyone can access your personal data and may be able to change or cancel your flight. However, until last week, hackers didn't need your boarding pass to get your data or wreak havoc on your reservation if it was booked through one of more than 140 airlines.
While the average flyer probably has not heard of Amadeus or Sabre, most airlines across the world use one of these two major reservation systems. And Israeli hacker Noam Rotem -- working with Safety Detective -- discovered a major flaw in Amadeus that left a backdoor open for hackers to easily access passengers' data, including birthday, address, email, phone number and access to frequent flyer accounts.
Chances are you've booked a flight through one of the airlines that uses the Amadeus reservation system. These airlines include: Air Canada, Air France, ANA, Asiana, Austrian, British Airways, Brussels Airlines, Cathay Pacific, El Al, EVA Airways, Finnair, Iberia, Icelandair, KLM, Korean Airways, Lufthansa, Malaysian Airlines, OpenSkies, Qantas, SAS, Singapore Airlines, SWISS, TAP Portugal, Thai Airways and many more.
Even without this flaw, it doesn't take much to access an airline reservation. Typically, all you need is the last name of the passenger and the Personal Name Record (PNR) for the reservation. However, using El Al's reservation system, researchers found that they could simply tweak a URL to pull up any Amadeus reservation using just the six-digit Personal Name Record (PNR). The passenger's last name wasn't required.
Even worse, the researchers found that there was no limitation in place to keep them from randomly generating numbers and pinging the Amadeus system to check if there was an active reservation using that PNR. While there are around two million possible six-digit alphanumeric combinations, the researchers were able to go through possibilities with decent speed:
Through this process they were able to retrieve an undisclosed number of active reservations. And once they found a match, the researchers report:
"We were able to log into El Al's customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer's email and phone number, which could then be used to cancel/change flight reservation via customer service."
Being "white-hat hackers," the researches shared their discovery with Amadeus -- along with suggestions to add reservation passwords, captcha and other "bot protection mechanisms" to keep this from being possible in the future.
Amadeus responded to Safety Detective that it "took immediate action" to fix the issue and "can now confirm that the issue is solved."
"To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers' personal information, the company's statement continued. "We regret any inconvenience this situation might have caused."
As this wasn't a traditional hack -- like Marriott, Cathay Pacific, Equifax and more -- its unclear how many passengers' data may have been exposed through this simple reservation access method. Amadeus says it hasn't detected a data breach.
"We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed," Amadeus said in a statement to TPG. "We can confirm that Amadeus has not detected any data breach and that no data from travelers was disclosed. We regret any disruption this situation may have caused."
However, it seems it would be tough for Amadeus to be sure that "no data from travelers was disclosed." It's possible that Amadeus could see from its logs whether another brute-force attack -- similar to the one that the researchers used -- had been employed. However, this reservation access method is identical to how El Al passengers would access their reservations when clicking through a confirmation email. Indeed, that's how the hacker discovered this access method. So, at the very least, it would likely be difficult to say for sure that bad actors didn't utilize this reservation access method on a smaller scale.
Looking forward, there clearly needs to be a better way to secure flight reservation data than the archaic procedure that simply requires a PNR and the traveler's last name. In its statement, Amadeus emphasizes that it realizes this and is working "together with our customers and partners in the industry to address PNR security overall."
"The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale," the company said. "Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration."
Speaking of the International Air Transportation Association (IATA), the standard-setting industry group finally released a statement on Wednesday -- almost a week after the disclosure about the backdoor. The statement pledges that "IATA is committed to working with industry stakeholders to ensure passenger information remains secure."
The Department of Transportation and Federal Aviation Administration were unable to be reached for comment due to the partial government shutdown.
TPG featured card
at American Express's secure site
Terms & restrictions apply. See rates & fees.
| 3X | Earn 3X Miles on Delta purchases. |
| 1X | Earn 1X Miles on all other eligible purchases. |
Pros
- Delta SkyClub access when flying Delta
- Annual companion ticket for travel on Delta (upon renewal)
- Ability to earn MQDs through spending
- Various statement credits for eligible purchases
Cons
- Steep annual fee of $650
- Other Delta cobranded cards offer superior earning categories
- Earn 100,000 Bonus Miles after you spend $6,000 or more in purchases with your new Card within the first 6 months of Card Membership and an additional 25,000 bonus miles after you make an additional $3,000 in purchases on the Card within your first 6 months, starting from the date that your account is opened. Offer Ends 04/01/2026.
- Delta SkyMiles® Reserve American Express Card Members receive 15 Visits per Medallion® Year to the Delta Sky Club® when flying Delta and can unlock an unlimited number of Visits after spending $75,000 in purchases on your Card in a calendar year. Plus, you’ll receive four One-Time Guest Passes each Medallion Year so you can share the experience with family and friends when traveling Delta together.
- Enjoy complimentary access to The Centurion® Lounge in the U.S. and select international locations (as set forth on the Centurion Lounge Website), Sidecar by The Centurion® Lounge in the U.S. (see the Centurion Lounge Website for more information on Sidecar by The Centurion® Lounge availability), and Escape Lounges when flying on a Delta flight booked with the Delta SkyMiles® Reserve American Express Card. § To access Sidecar by The Centurion® Lounge, Card Members must arrive within 90 minutes of their departing flight (including layovers). To access The Centurion® Lounge, Card Members must arrive within 3 hours of their departing flight. Effective July 8, 2026, during a layover, Card Members must arrive within 5 hours of the connecting flight.
- Receive $2,500 Medallion® Qualification Dollars with MQD Headstart each Medallion Qualification Year and earn $1 MQD for each $10 in purchases on your Delta SkyMiles® Reserve American Express Card with MQD Boost to get closer to Status next Medallion Year.
- Enjoy a Companion Certificate on a Delta First, Delta Comfort, or Delta Main round-trip flight to select destinations each year after renewal of your Card. The Companion Certificate requires payment of government-imposed taxes and fees of between $22 and $250 (for itineraries with up to four flight segments). Baggage charges and other restrictions apply. Delta Basic experiences are not eligible for this benefit.
- $240 Resy Credit: When you use your Delta SkyMiles® Reserve American Express Card for eligible purchases with U.S. Resy restaurants, you can earn up to $20 each month in statement credits. Enrollment required.
- $120 Rideshare Credit: Earn up to $10 back in statement credits each month after you use your Delta SkyMiles® Reserve American Express Card to pay for U.S. rideshare purchases with select providers. Enrollment required.
- Delta SkyMiles® Reserve American Express Card Members get 15% off when using miles to book Award Travel on Delta flights through delta.com and the Fly Delta app. Discount not applicable to partner-operated flights or to taxes and fees.
- With your Delta SkyMiles® Reserve American Express Card, receive upgrade priority over others with the same Medallion tier, product and fare experience purchased, and Million Miler milestone when you fly with Delta.
- Earn 3X Miles on Delta purchases and earn 1X Miles on all other eligible purchases.
- No Foreign Transaction Fees. Enjoy international travel without additional fees on purchases made abroad.
- $650 Annual Fee.
- Apply with confidence. Know if you're approved for a Card with no impact to your credit score. If you're approved and you choose to accept this Card, your credit score may be impacted.
- Terms Apply.
- See Rates & Fees