The issue first came to light when ‘davyjones’ posted an alert to the Cruise Critic web forum: “I have received an email from Cunard with a spreadsheet file attached giving me the booking reference and names and email address of 1225 passengers. This information would allow me to see all the information such as address, contact number and passport information that you need to enter before your cruise. My name and number is on the list.”
Cunard rapidly closed down the booking system and confirmed the error. It told Cruise Critic, “Cunard can confirm that an e-mail was sent in error to some guests containing details relating to other guests' bookings. We took swift action to close down the check-in system, Voyage Personalizer, until we are able to re-issue new secure log-in details to all affected guests.”
Cunard Line’s President and Managing Director Peter Shanks told Jeff Randall Live (Sky News) that no passport information or credit card numbers were sent out. “However,” reports Cruise Critic in support of davyjones’ original comment, “it would theoretically be possible to access individuals' passport information using the booking reference numbers, names and email addresses.”
Although Cunard responded rapidly, the issue has potential to grow. In the ensuing online discussion, davyjones points out that Cunard’s booking system was not very well protected. “It is about time the likes of cruise lines and airlines allowed one to set an additional password to supplement only needing the booking reference and person's name to access their details.” He went on to look at the spreadsheet attachment and pointed out that the booking reference numbers (effectively the passwords) would be easy to crack. “The first two characters are all the same, the third has about 6 variations and the remaining three are random. It would not take too long to write a script to churn through...”
He then goes on to explain the relevance. “I'm a good guy but someone who wasn't might have a trawl for QG bookings (as that's where the money is), get their address and telephone number, ring up when they are away and if no answer pay a visit.”
Since several other members of the forum recommended making a complaint to the ICO, this might not be the last we hear of this particular breach.