British Airways' leaky check-in process leaves passenger information exposed

The unencrypted and easily interceptable check-in links of British Airways enable unauthorised third parties to view and change passengers' flight booking details and personal information

Days after British Airways flight schedule went haywire after an IT failure, researchers have picked up a vulnerability in its e-ticketing system that exposes personally identifiable information (PII) of its passengers.

"Airline check-in links that are unencrypted and easily intercepted enable unauthorised third parties to view and change passengers’ flight booking details and personal information," said a research report by Wandera.

"In July 2019, our threat research team observed that passenger details were being sent unencrypted when a user on our network accessed the British Airways e-ticketing system. It was at that time that Wandera notified the airline of the vulnerable link," the report said.

The scale of a possible breach is huge. British Airways and its subsidiaries carried 46.8 million passengers in 2018. Most of them have booked their tickets online, with a significant chance of them accessing their details at the airport. 

Effectively, the data of these passengers can be accessed by a person snooping on the public Wi-Fi network shared by the user, especially those in un-secure environments such as airports. British Airways has reportedly denied any possibility of a third-party access to payment information or the breach of customer data.

"The challenge when sending links that could potentially divulge information, such as names and flight confirmation numbers, is that airlines typically use this information to look up and manage reservations," Synopsys managing principal Nabil Hannan told SC Media UK.

"The confirmation number is something that users need to realise is actually private data. The inclusion of such data elements within the link poses the issue that anyone monitoring network traffic would be able to see this information as part of HTTP requests," he explained. 

The latest revelations come at a time when BA is recovering from a devastating data breach for which it was penalised with a £183 million fine under the GDPR, and another tech snag, the latest in a series of issues.

Compared to them, the present issue is "hardly a knock-out punch" for the airline, said Israel Barak, chief information security officer at Cybereason.

"The British Airways vulnerability again sheds light on the difficulty airlines, and all corporations for that matter, are having protecting the backbone of their organisation’s - customer data. This isn't the first vulnerability either, as as many as 10 airlines were reportedly investigating a similar vulnerability earlier this year," he told SC Media UK.

In February, Wanderer researchers discovered a vulnerability affecting a number of airline e-ticketing systems, which offered access points to passengers PII. Eight airlines, from flag-carrier Air France to low-cost operator Jetstar, were named in the report.

"This situation illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing. In other words, there isn’t necessarily a security bug, but rather a security design flaw. This flaw exists in how the system designed this check-in process and didn’t analyse any implications around transmitting certain data elements as part of the URL," said Hannan.

Wandera recommended four steps to counter the latest vulnerability, such as adopting encryption throughout the check-in process; making user authentication mandatory for all steps where PII is accessible and especially when it is editable; and issuing one-time-use tokens for direct links within emails.

"Users should have an active mobile security service deployed to monitor and block data leaks and phishing attacks," the report added.

"For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber-crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts," said Barak.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews