Who: E-ticketing systems at Eight Airlines

When: Reported 12 Mar 2019

# of records involved: undetermined

What happened: Hackers intercept passengers Personally Identifiable Information (PII) using website link vulnerability.

How did it happen: 8 major airlines identified are putting passenger data at risk by allowing unauthorized third parties access through unencrypted links the ability to intercept the credentials into their e-ticketing systems that contain all of the PII associated with the airline booking. This means that the hacker can view, and in some cases even change, a user’s flight booking details, and/or print boarding passes. The vulnerability comes when the airline sends unencrypted check-in links to passengers through their e-ticketing systems directing them to a site where they are logged in automatically to the check-in for their flight.

Outcome: Independent Security Evaluators (ISE) examined popular open-source ticketing software, osTicket, and reported they’d identified a “number” of security flaws, and had provided Enhancesoft, the company sponsoring osTicket’s development, with information about the vulnerabilities and how to reproduce them. The Transportation Security Administration (TSA) has not responded but the Government Accountability Office (GAO) has discussed similar problems in audit reports to Congress