Your Personal Data Was Potentially Exposed by a Flaw in 140+ Airlines’ Software

Jan 23, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Most travelers know not to share un-masked photos their boarding passes online. By scanning the barcode or just reading the name and reservation number off the boarding pass, anyone can access your personal data and may be able to change or cancel your flight. However, until last week, hackers didn’t need your boarding pass to get your data or wreak havoc on your reservation if it was booked through one of more than 140 airlines.

While the average flyer probably has not heard of Amadeus or Sabre, most airlines across the world use one of these two major reservation systems. And Israeli hacker Noam Rotem — working with Safety Detective — discovered a major flaw in Amadeus that left a backdoor open for hackers to easily access passengers’ data, including birthday, address, email, phone number and access to frequent flyer accounts.

Chances are you’ve booked a flight through one of the airlines that uses the Amadeus reservation system. These airlines include: Air Canada, Air France, ANA, Asiana, Austrian, British Airways, Brussels Airlines, Cathay Pacific, El Al, EVA Airways, Finnair, Iberia, Icelandair, KLM, Korean Airways, Lufthansa, Malaysian Airlines, OpenSkies, Qantas, SAS, Singapore Airlines, SWISS, TAP Portugal, Thai Airways and many more.

Finnair’s Manage Booking page is a resource that Oneworld travelers can utilize to easily change details of their booking.

Even without this flaw, it doesn’t take much to access an airline reservation. Typically, all you need is the last name of the passenger and the Personal Name Record (PNR) for the reservation. However, using El Al’s reservation system, researchers found that they could simply tweak a URL to pull up any Amadeus reservation using just the six-digit Personal Name Record (PNR). The passenger’s last name wasn’t required.

Even worse, the researchers found that there was no limitation in place to keep them from randomly generating numbers and pinging the Amadeus system to check if there was an active reservation using that PNR. While there are around two million possible six-digit alphanumeric combinations, the researchers were able to go through possibilities with decent speed:

Through this process they were able to retrieve an undisclosed number of active reservations. And once they found a match, the researchers report:

“We were able to log into El Al’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”

Being “white-hat hackers,” the researches shared their discovery with Amadeus — along with suggestions to add reservation passwords, captcha and other “bot protection mechanisms” to keep this from being possible in the future.

Amadeus responded to Safety Detective that it “took immediate action” to fix the issue and “can now confirm that the issue is solved.”

“To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information, the company’s statement continued. “We regret any inconvenience this situation might have caused.”

As this wasn’t a traditional hack — like Marriott, Cathay Pacific, Equifax and more — its unclear how many passengers’ data may have been exposed through this simple reservation access method. Amadeus says it hasn’t detected a data breach.

“We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed,” Amadeus said in a statement to TPG. “We can confirm that Amadeus has not detected any data breach and that no data from travelers was disclosed. We regret any disruption this situation may have caused.”

However, it seems it would be tough for Amadeus to be sure that “no data from travelers was disclosed.” It’s possible that Amadeus could see from its logs whether another brute-force attack — similar to the one that the researchers used — had been employed. However, this reservation access method is identical to how El Al passengers would access their reservations when clicking through a confirmation email. Indeed, that’s how the hacker discovered this access method. So, at the very least, it would likely be difficult to say for sure that bad actors didn’t utilize this reservation access method on a smaller scale.

Looking forward, there clearly needs to be a better way to secure flight reservation data than the archaic procedure that simply requires a PNR and the traveler’s last name. In its statement, Amadeus emphasizes that it realizes this and is working “together with our customers and partners in the industry to address PNR security overall.”

“The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale,” the company said. “Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration.”

Speaking of the International Air Transportation Association (IATA), the standard-setting industry group finally released a statement on Wednesday — almost a week after the disclosure about the backdoor. The statement pledges that “IATA is committed to working with industry stakeholders to ensure passenger information remains secure.”

The Department of Transportation and Federal Aviation Administration were unable to be reached for comment due to the partial government shutdown.

Delta SkyMiles® Platinum American Express Card

Earn 90,000 bonus miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new card in the first three months of card membership. Offer ends 11/10/2021.

With Status Boost™, earn 10,000 Medallion Qualification Miles (MQMs) after you spend $25,000 in purchases on your Card in a calendar year, up to two times per year getting you closer to Medallion Status. Earn 3X Miles on Delta purchases and purchases made directly with hotels, 2X Miles at restaurants and at U.S. supermarkets and earn 1X Mile on all other eligible purchases. Terms Apply.

Apply Now
More Things to Know
  • Limited Time Offer: Earn 90,000 Bonus Miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new Card in your first 3 months. Offer expires 11/10/2021.
  • Earn up to 20,000 Medallion® Qualification Miles (MQMs) with Status Boost® per year. After you spend $25,000 in purchases on your Card in a calendar year, you can earn 10,000 MQMs two times per year, getting you closer to Medallion® Status. MQMs are used to determine Medallion® Status and are different than miles you earn toward flights.
  • Earn 3X Miles on Delta purchases and purchases made directly with hotels.
  • Earn 2X Miles at restaurants worldwide, including takeout and delivery and at U.S. supermarkets.
  • Earn 1X Miles on all other eligible purchases.
  • Receive a Domestic Main Cabin round-trip companion certificate each year upon renewal of your Card. *Payment of the government imposed taxes and fees of no more than $75 for roundtrip domestic flights (for itineraries with up to four flight segments) is required. Baggage charges and other restrictions apply. See terms and conditions for details.
  • Enjoy your first checked bag free on Delta flights.
  • Fee Credit for Global Entry or TSA Pre✓®.
  • Enjoy an exclusive rate of $39 per person per visit to enter the Delta Sky Club® for you and up to two guests when traveling on a Delta flight.
  • No Foreign Transaction Fees.
  • $250 Annual Fee.
  • Terms Apply.
  • See Rates & Fees
Regular APR
15.74%-24.74% Variable
Annual Fee
Balance Transfer Fee
Recommended Credit
Terms and restrictions apply. See rates & fees.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.