Connect with us

Hi, what are you looking for?


Data Protection

British Airways Criticized for Exposing Passenger Flight Details

British Airways (BA) has been criticized for allowing hackers easy access to customer flight information. The issue was exposed Tuesday by researchers who discovered “a vulnerability affecting British Airways’ e-ticketing system that exposes passengers’ personally identifiable information (PII).”

British Airways (BA) has been criticized for allowing hackers easy access to customer flight information. The issue was exposed Tuesday by researchers who discovered “a vulnerability affecting British Airways’ e-ticketing system that exposes passengers’ personally identifiable information (PII).”

The problem lies in the check-in links sent by BA to passengers via email. For customer convenience, the URLs contain the information necessary to automatically log in to the check-in record details held by BA. A passenger can just click this link to access the record. The danger, however, is that the log-in details in the URL are in clear text — meaning that any hacker able to intercept or otherwise view the link can gain unencumbered access to the personal information in the record.

The personal information exposed is not among the most critical. There is no access to any payment information or passport details. It includes, however, name, email address, phone number and flight details — all of which could be valuable to hackers and social engineers. BEC scams have already timed their attack for when the CEO is airborne to make normal communications more difficult and add urgency to the request.

Researchers at Wandera reported, “In July 2019, our threat research team observed that passenger details were being sent unencrypted when a user on our network accessed the British Airways e-ticketing system. It was at that time that Wandera notified the airline of the vulnerable link.”

British Airways told Forbes they had not received any detailed information from Wandera, and claimed there is no evidence that any personal information has been stolen. Wandera estimates, however, that approximately 2.5 million connections to BA have been made over the last six months — any one of which was potentially vulnerable. 

This type of vulnerability is commonly the result of two separate pressures: the need for speed in development, and the desire to provide convenience to the customer; that is, the priority for ease over security.

“This situation,” commented Nabil Hannan, managing principal at Synopsys, “illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing. In other words, there isn’t necessarily a security bug, but rather a security design flaw. This flaw exists in how the system designed this check-in process and didn’t analyze any implications around transmitting certain data elements as part of the URL.”

Advertisement. Scroll to continue reading.

On convenience, Cesar Cerrudo, CTO at IOActive, commented, “When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is.” He believes that a third-party penetration test would have exposed the problem very quickly.

It is surprising, however, that the issue exists at all. Wandera detected and reported on the same problem with other airlines, including Southwest in the US, KLM and Transavia in the Netherlands, Vueling and Air Europe in Spain, Jetstar in Australia, and Thomas Cook in the UK, in February 2019. 

This warning together with the fine of $230 million levied by the UK’s Information Commissioner’s Office in July 2019 for the 2018 BA data breach make it surprising that such a simple flaw in the firm’s handling of personal information should be allowed to persist.

Wandera believes airlines should encrypt communications during the check-in process, they should implement additional authentication mechanisms for processes that involve access to personal information (especially if that information can be edited), and use one-time tokens for direct links delivered via email or SMS.

Wandera, headquartered in San Francisco and London, raised $15 million in a Series B funding round in February 2015, and supplemented this with a $27.5 million Series C round in May 2017 — bringing the total raised to $53.5 million.

Related: Microsoft Leaks User Account Identifiers in Clear Text 

Related: iMessage URL Preview Exposes User Data 

Related: British Airways Hacked With Details of 380,000 Cards Stolen 

Related: BA Says 185,000 More Customers Affected in Cyber Attack 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.