An Australian hacker recently obtained the passport number and phone number of former Australian Prime Minister Tony Abbott using a picture of Mr. Abbott’s Qantas boarding pass which the latter posted on Instagram.
A few months ago, Mr. Abbott published a post on Instagram to celebrate his return to Down Under from Japan, captioning a picture of his boarding pass with the message: “A big thank you to all the team on QF26 from Tokyo. Hope to see you flying again soon! This will pass.”
Earlier this week, Alex Hope, an Australian self-styled hacker indulging in testing the security of websites and all things digital, said he was able to access Mr. Abbott’s passport number and his phone number using the picture of the boarding pass that was shared publicly on Instagram.
Using the booking reference number printed on the boarding pass and Mr. Abbott’s last name, Hope was able to log in to the former prime minister’s account on the Qantas website that let him view the details of Mr. Abbott’s itinerary, flight details, as well as his personal information.
Having accessed Mr. Abbott’s personal details, Hope set out to contact the former prime minister’s office to inform about the exposure, a process that took around six months before Mr. Abbott’s personal secretary informed him that they had initiated the process of getting a new passport number for Mr. Abbott. Shortly afterward, Mr. Abbott himself dialed Hope and asked him how to learn about “the IT”.
“When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT since he wanted to learn about it. That was kinda humanising since it made me realise that even famous people are just people too,” Hope wrote in a blog post.
In the meantime, Hope contacted the Australian Signals Directorate, Australia’s equivalent of GCHQ, to inform them about the exposure of personal information of a former prime minister. ASD informed him that they had taken cognizance of the matter and were investigating the issue.
Hope also made attempts to contact Qantas and after much effort, was able to get in touch with a Qantas rep who acknowledged the issue on their website, promising to investigate the matter. Many months later, Qantas finally replied, stating that a bug on their website had been fixed.
“Thanks again for letting us have the opportunity to review and again for refraining from posting until the fix was in place for vulnerability. Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains.
“We appreciate you bringing it to our attention in such a responsible way, so we could fix the issue, which we did a few months ago now,” Qantas told Hope in an email.
“The point of this story isn’t to say “wow Tony Abbott got hacked, what a dummy”. The point is that if someone famous can unknowingly post their boarding pass, anyone can,” Hope added.
Commenting on the leak of Mr. Abbott’s personal details via Qantas’ flight booking site, Kelvin Murray, Senior Threat Research Analyst at Webroot, said everyone needs to be cautious about how much personal information they share, and this is an example of there being more information in a photo than might meet the eye. In this case, what was posted was used to access personal details and accounts though the booking reference that was in the image.
“In order to limit the impact of these types of activities, users need to be aware of where valuable data might lie. As more people and businesses use social media, cybercriminals are finding more creative attack methods. Beyond this, there are two parties at fault here.
“Firstly you should never post tickets or identification documents online. There are simply too many ways in which a hacker can use basic OSINT or more complicated techniques to find further information. Secondly, there was clearly an issue with website security here as personal details such as phone or passport numbers should never be available through HTML in this way. In this case, it looks like the hacker in question alerted all parties in a responsible way, and the airline has been able to protect future customers as a result of this breach,” he added.