British Airways (BA) has been criticized for allowing hackers easy access to customer flight information. The issue was exposed Tuesday by researchers who discovered “a vulnerability affecting British Airways’ e-ticketing system that exposes passengers’ personally identifiable information (PII).”
The problem lies in the check-in links sent by BA to passengers via email. For customer convenience, the URLs contain the information necessary to automatically log in to the check-in record details held by BA. A passenger can just click this link to access the record. The danger, however, is that the log-in details in the URL are in clear text — meaning that any hacker able to intercept or otherwise view the link can gain unencumbered access to the personal information in the record.
The personal information exposed is not among the most critical. There is no access to any payment information or passport details. It includes, however, name, email address, phone number and flight details — all of which could be valuable to hackers and social engineers. BEC scams have already timed their attack for when the CEO is airborne to make normal communications more difficult and add urgency to the request.
Researchers at Wandera reported, “In July 2019, our threat research team observed that passenger details were being sent unencrypted when a user on our network accessed the British Airways e-ticketing system. It was at that time that Wandera notified the airline of the vulnerable link.”
British Airways told Forbes they had not received any detailed information from Wandera, and claimed there is no evidence that any personal information has been stolen. Wandera estimates, however, that approximately 2.5 million connections to BA have been made over the last six months — any one of which was potentially vulnerable.
This type of vulnerability is commonly the result of two separate pressures: the need for speed in development, and the desire to provide convenience to the customer; that is, the priority for ease over security.
“This situation,” commented Nabil Hannan, managing principal at Synopsys, “illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing. In other words, there isn’t necessarily a security bug, but rather a security design flaw. This flaw exists in how the system designed this check-in process and didn’t analyze any implications around transmitting certain data elements as part of the URL.”
On convenience, Cesar Cerrudo, CTO at IOActive, commented, “When building a customer facing application, the focus is too often on usability, scalability and performance, and security can be a bit of an afterthought. Yet what is forgotten is just how sensitive the data being stored is.” He believes that a third-party penetration test would have exposed the problem very quickly.
It is surprising, however, that the issue exists at all. Wandera detected and reported on the same problem with other airlines, including Southwest in the US, KLM and Transavia in the Netherlands, Vueling and Air Europe in Spain, Jetstar in Australia, and Thomas Cook in the UK, in February 2019.
This warning together with the fine of $230 million levied by the UK’s Information Commissioner’s Office in July 2019 for the 2018 BA data breach make it surprising that such a simple flaw in the firm’s handling of personal information should be allowed to persist.
Wandera believes airlines should encrypt communications during the check-in process, they should implement additional authentication mechanisms for processes that involve access to personal information (especially if that information can be edited), and use one-time tokens for direct links delivered via email or SMS.
Wandera, headquartered in San Francisco and London, raised $15 million in a Series B funding round in February 2015, and supplemented this with a $27.5 million Series C round in May 2017 — bringing the total raised to $53.5 million.