A security bug discovered in British Airways’ e-ticketing system has the potential to expose passengers’ data, including their flight booking details and personal information. Researchers on Tuesday said that check-in links being sent by British Airways to their passengers via email are unencrypted – opening them up to an attack that could expose victims’ booking reference numbers, phone numbers, email addresses and more. “In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” said researchers with Wandera in a Tuesday analysis. “The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.” That means that someone snooping on the same public Wi-Fi network can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in. Making matters worse, several airports are notorious for their risky Wi-Fi networks. From there, bad actors could either view the victim’s personal data, or manipulate their booking information, researchers said. Exposed information includes: email address, telephone numbers, BA membership numbers, first and last name, booking reference, itinerary, flight information like flight number, flight times, and seat number. The flaw was discovered in July. Researchers said that after they discovered the flaw, they notified the airline of the vulnerable links. “We take the security of our customers’ data very seriously,” a British Airways spokesperson told Threatpost. “Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.” According to British Airways, no passport or payment information can be accessed and there is no evidence to suggest any customer information has been taken. A similar check-in vulnerability was discovered in February, impacting eight major airlines. Those included: Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia. All airlines were notified and urged to take action to secure the check-in links. Researchers stressed that airlines need to adopt encryption through the check-in process, as well as require explicit user authentication for all steps where PII is accessible and especially when it is editable. British Airways has been plagued by cybersecurity scandals repeatedly over the past year. In September 2018, British Airways said approximately 380,000 card payments were compromised after a security breach occurred on the company’s website and mobile app in August (that figure was later amended to increase up an additional 185,000 victims to the official tally). In July 2019, a record $230 million fine was proposed against British Airways for the airline’s 2018 data breach impacted 500,000 of the airline’s customers. Other airlines have also been hit by security issues: In August, Air Canada said 20,000 mobile app users have had their passport information exposed and asked users of its Mobile+ app to reset their accounts after it detected “unusual login behavior” between Aug. 22-24. And, earlier in April, Delta said “a small subset” of customers were impacted by a data breach tied to malware planted on a third-party service.
http://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard http://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2019-08-13 10:06:002019-08-13 10:06:00British Airways E-Ticketing Flaw Exposes Passenger Flight, Personal Data
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com