Millions of German airline passengers’ data exposed to security gaps for years
The personal data of millions of travelers, including itineraries, names, addresses, invoices and payment information was accessible online for years, Sueddeutsche Zeitung reported on Monday. No sophisticated IT skills were needed to retrieve the data and it could be accessed with minimal effort, the outlet reported.
According to an investigation by the newspaper, the data vulnerability was down to huge security gaps in the computer systems of Berlin-based airline ticket wholesaler Aerticket. The company provides tickets for thousands of corporate clients, including German travel agencies, online booking portals and ticket search engines.
Booking a flight on one of Aerticket’s partners included receiving an email with a link to retrieve and download a passenger’s itinerary receipt, Sueddeutsche Zeitung wrote. Every link to an itinerary receipt ended with an eight-digit number, but the company’s failure was that the documents were not protected.
The eight digits at the end of each link could be changed manually by anyone, allowing the possibility of a user to jump to other travelers’ tickets, invoices, routes and credit card numbers. While other flight portals use randomly generated codes that include numbers and letters, that was not the case at Aerticket, the newspaper reported.
The accessible files contained passengers’ names and addresses, departure airports, airline names as well as prices at which tickets were booked. In some cases, booking codes and dates of birth were available as well.
Aerticket responded quickly to the newspaper report and eliminated the vulnerability within hours. The company also admitted the gap had existed since 2011 with some 1.5 million bookings made since then – a statement which Sueddeutsche Zeitung could not verify.
Aerticket AG is the largest independent airline ticket wholesaler in Germany. Such companies serve as intermediaries between airlines and travel agencies or booking portals, as issuing tickets on their own normally requires a costly license from the International Air Transport Association (IATA).
The company said the security gap was not exploited by criminals, but Berlin data protection authorities said they will investigate the case, a process that may take up to several months.
Around 14,500 corporate customers in Germany work with Aerticket, but European passengers’ data could have been accessible as well. German travel portal flight24.de, also an Aerticket customer, had national websites in Austria, the UK, the Netherlands, France, Italy and Spain.