Data security at British Airways is under fire again, after security researchers at Wandera disclosed a vulnerability that leaves personal passenger information exposed to hackers sniffing our traffic on public wifi networks, like those in airports for example according to Zak Doffman, a contributor from Forbes. The issue which relates to check-in links sent by…
Data security at British Airways is under fire again, after security researchers at Wandera disclosed a vulnerability that leaves personal passenger information exposed to hackers sniffing our traffic on public wifi networks, like those in airports for example according to Zak Doffman, a contributor from Forbes.
The issue which relates to check-in links sent by email isn’t new, but that won’t stop BA getting slammed just weeks after being hit with a record $229 fine for a breach of data regulations. Back in 2018, the airline breached personal and financial data for more than 500,000 customers.
Now, according to the Wandera security researchers, BA (along with other airlines) includes passenger details in « the URL parameters that direct the passenger from the email to the British Airways website where they have logged in automatically so they can view their itinerary and check-in for their flight. »
If an attacker can intercept the link request, which includes the passenger’s named booking. reference number, then those can be used to access the booking itself. According to the disclosure, the data opened up to attackers include:
-BA Membership Numbers
British Airways informed that they had not received any detailed information from Wandera and no critical information can be accessed—there is also no evidence of a breach has actually taken place using this vulnerability. As ever, though, when a public disclosure is made the risk of exploitation goes up.
The same issue was disclosed by the same research team back in February. Back then it was Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia under the spotlight. This time it’s BA and the timing for the U.K.’s flagship airline could not be worse.
Fairly obviously, Wandera advises airlines to fully encrypt the check-in process and to stop trading convenience for security. The team also recommends « one-time-use tokens » for direct links within emails.
A British Airways spokesperson said that « we take the security of our customers’ data very seriously—like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected. »
The fact this issue has been doing the rounds for months but still remains an issue, despite the airline industry being hit by multiple breaches, is surprising and disappointing in itself. That it has hit BA given the events of recent months just makes that even more the case. As passengers, we would like to think that obvious vulnerabilities are quickly plugged—but clearly not.