British Airways Bug Discloses Passengers’ Personal Data

Troubles chasing British Airways. This time, the researchers discovered a vulnerability in the electronic ticketing system – using this breach, an attacker can view passenger’s personal data or change the reservation information.

According to Wandera experts who discovered this vulnerability, the registration links that British Airways sends to its customers in emails are not encrypted.

As a result, an attacker can easily intercept passengers’ identification number, his name, email address and other data.

Researchers say about 2.5 million connections that were recorded in the affected domains of British Airways over the past six months.

“In order to simplify the user experience, passenger data is included in the URL as parameters. Such a link leads the client directly from a letter to the British Airways website, where the authentication process takes place automatically. The very details included in the URL are the identification number and last name. This data is not encrypted in any way and may be available to any interested person”, – said the report of the experts.

This means that an attacker who is on the same Wi-Fi network as a victim can easily intercept the link and gain access to passengers’ registration data.

The situation is aggravated by the extremely weak level of security in some Wi-Fi networks at airports.

Read also: British Airways will pay a record penalty for data leakage within the GDPR

Recall that in early July, the Office of the Commissioner for Information of the United Kingdom fined for non-compliance with GDPR the country’s largest airline and national air carrier – British Airways. The fine was a record as consisted £ 183 million.

The reason for such a serious penalty lies in the fact that the company could not protect the personal data of customers. British Airways suffered in September last year from this leak.