Security researchers have warned that the mode of communication employed by British Airways to share check-in information with passengers could expose the latter’s personal information to hackers in case they manage to intercept such link requests.
In July, the Information Commissioner’s Office proposed a fine of £183.39 million on British Airways under GDPR for failing to prevent a cyber incident last year that compromised personal and financial information of approximately 500,000 customers.
The cyber incident in question involved a hacker group stealing login information, passenger names, addresses, booking details, and payment card information from British Airways’ website after using scripts to modify the website and extracting information from payment forms on the website.
British Airways sharing unencrypted check-in links with passengers
A little over a month after the staggering fine was proposed, cyber security research firm Wandera has warned that British Airways could be inadvertently exposing the personal information of hundreds of thousands of passengers to hackers by failing to encrypt check-in links that are sent to passengers via email before a scheduled flight.
“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight.
“The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.
“Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information,” the firm warned.
It added that a passenger’s booking information with British Airways includes personally-identifiable data such as first and last names, email addresses, and phone numbers as well as flight information such as seat numbers, flight numbers, itinerary, flight schedules, and baggage allowance.
The firm said that earlier this year, it had observed that other major airlines, including Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia, used the same method to send check-in links to passengers via email without encrypting such links to prevent hackers from intercepting them via public Wi-Fi.
All private data need to be encrypted to prevent data breaches
It added that in order to prevent hackers from intercepting such links, airlines should utilise one-time use tokens for direct links within emails, should adopt encryption throughout the check-in process, should have an active mobile security service deployed to monitor and block data leaks and phishing attacks, and should require explicit user authentication for all steps where PII is accessible and especially when it is editable.
Commenting on Wandera’s findings, Javvad Malik, security awareness advocate at KnowBe4, said that sending unencrypted emails with authentication data in the URL is certainly far from good security practice and, given the recent British Airways fines proposed by the ICO, it does not paint a good picture.
“However, in order for this attack to be successful, the attacker needs to be connected to the same WiFi network as the victim in order to intercept the email and view the booking. Because of this, the threat is reduced somewhat. British Airways will likely fix the issue soon, but it’s a reminder to users that they should exercise caution when connecting to public wifi hotspots,” he said.
“This situation illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing. In other words, there isn’t necessarily a security bug, but rather a security design flaw. This flaw exists in how the system designed this check-in process and didn’t analyse any implications around transmitting certain data elements as part of the URL,” said Nabil Hannan, managing principal at Synopsys.