British Airways has come under fire from the security community again, this time after a vulnerability in its e-ticketing system was found to be exposing passenger’s personal information (PII).
Security firm Wandera claimed in a blog post yesterday that the airline was sending out unencrypted check-in links to customers which contained booking reference and surname in the URL itself.
“Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information,” the firm explained.
With access to a customer’s account, hackers could then access further identity info including full name, itinerary, email address, phone number and much more – all valuable for use in potential follow-on phishing attacks and identity fraud.
Back in February, Wandera found the same vulnerability in check-in links sent by Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa and Transavia.
The firm recommended airlines use one-time tokens for direct links within emails and require explicit user authentication for all steps where PII is accessible and editable.
The news comes as BA is still reeling from a proposed £183m GDPR fine following security failings that allowed Magecart attackers to harvest customer details from its website.
Cesar Cerrudo, CTO at pen testers IOActive, argued that the focus for developers is too often on usability, performance and scalability rather than security.
“What is forgotten is just how sensitive the data being stored is,” he added.
“Yet while it is common practice for airlines to use third-party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps.”
Israel Barak, CISO at Cybereason, praised BA for acknowledging the incident and promising to fix it.
“This is hardly a knock-out punch for the airlines. For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over,” he added.
“As an industry, until we can start making cybercrime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive pay-outs.”