Your Personal Data Was Potentially Exposed by a Flaw in 140+ Airlines’ Software

Jan 23, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Most travelers know not to share un-masked photos their boarding passes online. By scanning the barcode or just reading the name and reservation number off the boarding pass, anyone can access your personal data and may be able to change or cancel your flight. However, until last week, hackers didn’t need your boarding pass to get your data or wreak havoc on your reservation if it was booked through one of more than 140 airlines.

While the average flyer probably has not heard of Amadeus or Sabre, most airlines across the world use one of these two major reservation systems. And Israeli hacker Noam Rotem — working with Safety Detective — discovered a major flaw in Amadeus that left a backdoor open for hackers to easily access passengers’ data, including birthday, address, email, phone number and access to frequent flyer accounts.

Chances are you’ve booked a flight through one of the airlines that uses the Amadeus reservation system. These airlines include: Air Canada, Air France, ANA, Asiana, Austrian, British Airways, Brussels Airlines, Cathay Pacific, El Al, EVA Airways, Finnair, Iberia, Icelandair, KLM, Korean Airways, Lufthansa, Malaysian Airlines, OpenSkies, Qantas, SAS, Singapore Airlines, SWISS, TAP Portugal, Thai Airways and many more.

Finnair’s Manage Booking page is a resource that Oneworld travelers can utilize to easily change details of their booking.

Even without this flaw, it doesn’t take much to access an airline reservation. Typically, all you need is the last name of the passenger and the Personal Name Record (PNR) for the reservation. However, using El Al’s reservation system, researchers found that they could simply tweak a URL to pull up any Amadeus reservation using just the six-digit Personal Name Record (PNR). The passenger’s last name wasn’t required.

Even worse, the researchers found that there was no limitation in place to keep them from randomly generating numbers and pinging the Amadeus system to check if there was an active reservation using that PNR. While there are around two million possible six-digit alphanumeric combinations, the researchers were able to go through possibilities with decent speed:

Through this process they were able to retrieve an undisclosed number of active reservations. And once they found a match, the researchers report:

“We were able to log into El Al’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”

Being “white-hat hackers,” the researches shared their discovery with Amadeus — along with suggestions to add reservation passwords, captcha and other “bot protection mechanisms” to keep this from being possible in the future.

Amadeus responded to Safety Detective that it “took immediate action” to fix the issue and “can now confirm that the issue is solved.”

“To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information, the company’s statement continued. “We regret any inconvenience this situation might have caused.”

As this wasn’t a traditional hack — like Marriott, Cathay Pacific, Equifax and more — its unclear how many passengers’ data may have been exposed through this simple reservation access method. Amadeus says it hasn’t detected a data breach.

“We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed,” Amadeus said in a statement to TPG. “We can confirm that Amadeus has not detected any data breach and that no data from travelers was disclosed. We regret any disruption this situation may have caused.”

However, it seems it would be tough for Amadeus to be sure that “no data from travelers was disclosed.” It’s possible that Amadeus could see from its logs whether another brute-force attack — similar to the one that the researchers used — had been employed. However, this reservation access method is identical to how El Al passengers would access their reservations when clicking through a confirmation email. Indeed, that’s how the hacker discovered this access method. So, at the very least, it would likely be difficult to say for sure that bad actors didn’t utilize this reservation access method on a smaller scale.

Looking forward, there clearly needs to be a better way to secure flight reservation data than the archaic procedure that simply requires a PNR and the traveler’s last name. In its statement, Amadeus emphasizes that it realizes this and is working “together with our customers and partners in the industry to address PNR security overall.”

“The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale,” the company said. “Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration.”

Speaking of the International Air Transportation Association (IATA), the standard-setting industry group finally released a statement on Wednesday — almost a week after the disclosure about the backdoor. The statement pledges that “IATA is committed to working with industry stakeholders to ensure passenger information remains secure.”

The Department of Transportation and Federal Aviation Administration were unable to be reached for comment due to the partial government shutdown.

Marriott Bonvoy Business® American Express® Card

Receive 1 Free Night Award every year after your Card account anniversary. Plus, earn an additional Free Night Award after you spend $60K in purchases on your Card in a calendar year. Awards can be used for one night (redemption level at or under 35,000 Marriott Bonvoy points) at hotels participating in the Marriott Bonvoy program.

Apply Now
More Things to Know
  • Limited Time Offer: Earn 125,000 Marriott Bonvoy Bonus Points after spending $5,000 in purchases on your new Card in your first 3 months of Card Membership. Offer expires 8/31/22.
  • 6x points at hotels participating in the Marriott Bonvoy™ program.
  • 4x points for purchases made at restaurants worldwide, at U.S. gas stations, on wireless telephone services purchased directly from U.S. service providers and on U.S. purchases for shipping.
  • 2x points on all other eligible purchases.
  • Receive a 7% discount off standard rates for reservations of standard guest rooms at hotels that participate in the Marriott Bonvoy program when you book directly. Terms and Conditions Apply.
  • Receive 1 Free Night Award every year after your Card renewal month. Plus, earn an additional Free Night Award after you spend $60K in purchases on your Card in a calendar year. Awards can be used for one night (redemption level at or under 35,000 Marriott Bonvoy points) at a participating hotel. Certain hotels have resort fees.
  • Enjoy Complimentary Marriott Bonvoy Gold Elite Status with your Card.
  • Terms apply.
  • See Rates & Fees
Regular APR
17.99% - 26.99% Variable
Annual Fee
Balance Transfer Fee
Recommended Credit
Terms and restrictions apply. See rates & fees.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.