Poorly Written Code in Major Airline Reservation System Exposes Information
Who: Amadeus ticket booking system
# of Accounts Breached: Millions of clients data
What was affected: The Amadeus ticket booking system is used by 141 international airlines which gives it control over 44% of the global online reservation market, with United Airlines, Lufthansa, and Air Canada being some of its clients.
How it happened: After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information. We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions.
Outcome: After contacting Amadeus regarding the security breach found in their online reservation system, the company issued the following statement: At Amadeus, we give security the highest priority and are continually monitoring and updating our systems. Our technical teams took immediate action, and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.