Airline Customers' Data Exposed by HTTPS Hole – Report

Serious security holes have been found in the mobile sites and apps of several big name airline and rail companies, exposing payment data and sensitive personally identifiable information (PII).

Security vendor Wandera notified 16 companies including easyJet, Chiltern Railways, Aer Lingus, AirAsia and Air Canada—although its investigation is still ongoing.

The vendor claimed that these providers failed to use HTTPS to encrypt the connection between their end and the app or mobile site used by their customers.

This means that in the case of Aer Lingus, customers' card and billing address information were unsecured, Wandera claimed.

In the case of Air Canada, Wandera claimed that complete credit card data as well as passport details such as name, date of birth, passport number, expiry date and issuing country code were left unencrypted.

The security firm told Infosecurity that it notified the affected companies on Sunday via their web form or in some cases a specific IT-relevant email address.

If true, the security oversight is significant given that PCI DSS 3.1 requirements very clearly state that “sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals.”

Wandera CEO, Eldar Tuvey, claimed that HTTPS has not been used either because of a flaw in coding or because the firms in question are relying on “inadequate third party services or libraries.”

“We do not expect that it’s a big job to fix at all, which is why it is all the more surprising that it’s not been done in the first place,” he told Infosecurity by email.

However, there will be some work for the affected organizations to do in order to fully remediate and prevent a similar problem happening in the future.

“We would expect companies to perform full code and configuration reviews before deployment, ongoing analysis of logging data to determine any insecurities and to follow recognized frameworks such as OWASP for secure coding,” he advised.

“On top of this, companies need to remember to test, test and test again for any security failings, paying particular attention to connection types such as HTTP or HTTPS.”

However, easyJet responded that the vendor had got it wrong and that its lawyers were challenging the claims. In an email sent to Infosecurity it had the following:

"All passenger data is transmitted using HTTPS encryption and we have retested all our mobile channels overnight in light of Wandera’s claims and can confirm that this is the case.  In addition, no easyJet customers have reported payment security issues based on their use of the easyJet app."

Aer Lingus has also been in touch to dispute the findings, with the following statement:

"Having contacted Wandera and investigated the matters they raised we are confident that their concerns are unfounded."

Photo © Ditty_about_summer

What’s Hot on Infosecurity Magazine?