British Airways check-in vulnerability exposes passenger information
British Airways has put passenger personal information at risk after it was found to be emailing unencrypted links to customers in part of its online check-in e-ticketing process.
Researchers at security firm Wandera said such check-in links could be easily intercepted by attackers, say those lurking on a public Wi-Fi network, and allow malicious actors to view and change the flight booking details and personal information of passengers.
“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they have logged in automatically so they can view their itinerary and check-in for their flight,” explained Wandera. “The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.”
Other information that could be exposed by the flaw includes email address, phone number, membership number, first and last name, booking reference, itinerary, flight number, flight times, seat number and baggage allowance.
Wandera’s threat research team discovered the flaw last month after someone accessed BA’s e-ticketing system from its network. The firm has previously discovered similar vulnerabilities affecting airlines such as Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa and Transavia.
It recommends that airlines adopt encryption throughout their check-in process, require user authentication for steps where personal information could be accessed, utilise one-time time tokens for email links and ensure users have mobile security deployed.
Israel Barak, the chief information security officer at Cybereason, said: "The British Airways vulnerability again sheds light on the difficulty airlines, and all corporations for that matter, are having protecting the backbone of their organisations - customer data.
“This isn't the first vulnerability either, as many as 10 airlines were reportedly investigating a similar vulnerability earlier this year. Kudos to British Airlines for acknowledging the incident and for them working quickly to solve any outstanding issues.
“For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over. “
The news comes after nearly 300 flights were delayed or cancelled at London's Heathrow, Gatwick and City airports when BA faced a major IT outage. And in July, it was fined a record £183 million for GDPR violations.
source itpro
Industry: Cyber Security
Latest Jobs
-
- Solution Architect - OUTSIDE IR35 - Contract- SC / DV - London
- London
- OUTSIDE IR35
-
Solution Architect For a London based Contract This is an Outside IR35 project. MUST have a minimum of an ACTIVE - SC clearance and be willing to be put through DV clearance. 6 month rolling Immediate Experience delivering technical Security Architecture design / assurance of security design. Cross domain experience desirable HLD / LLD London commutable Immediately interviewing.
-
- Microsoft Sentinel Architect
- Netherlands
- discussed on applications
-
Microsoft Sentinel Architect We're seeking a talented and experienced Microsoft Sentinel Architect to be responsible for the design, deploy of a new Sentinel solution into an expanding Services business. As a key member of our team, you'll play a vital role in driving security operations and protecting clients' assets. Responsibilities: Solution Design:Develop comprehensive Microsoft Sentinel architectures aligned with our clients' specific needs and industry best practices. Deployment and Configuration:Oversee the deployment and configuration of Sentinel components, including data connectors, analytics rules, and playbooks. Integration:Integrate Sentinel with other security tools and platforms within our MSSP ecosystem. Tuning and Optimization:Continuously monitor and optimize Sentinel performance to ensure maximum effectiveness and efficiency. Training and Mentoring:Mentor junior team members and provide training on Sentinel technologies and best practices. Required Skills and Experience: Proven experience as a Microsoft Sentinel Architect with a deep understanding of its capabilities and limitations. Strong technical skills in Azure, security operations, and data analytics. Experience designing and implementing complex security solutions, into a services environment Knowledge of threat intelligence, incident response, and compliance frameworks. Excellent communication and problem-solving skills.
-
- Microsoft Sentinel Architect
- Spain
- discussed on applications
-
Microsoft Sentinel Architect We're seeking a talented and experienced Microsoft Sentinel Architect to be responsible for the design, deploy of a new Sentinel solution into an expanding Services business. As a key member of our team, you'll play a vital role in driving security operations and protecting clients' assets. Responsibilities: Solution Design: Develop comprehensive Microsoft Sentinel architectures aligned with our clients' specific needs and industry best practices. Deployment and Configuration: Oversee the deployment and configuration of Sentinel components, including data connectors, analytics rules, and playbooks. Integration: Integrate Sentinel with other security tools and platforms within our MSSP ecosystem. Tuning and Optimization: Continuously monitor and optimize Sentinel performance to ensure maximum effectiveness and efficiency. Training and Mentoring: Mentor junior team members and provide training on Sentinel technologies and best practices. Required Skills and Experience: Proven experience as a Microsoft Sentinel Architect with a deep understanding of its capabilities and limitations. Strong technical skills in Azure, security operations, and data analytics. Experience designing and implementing complex security solutions, into a services environment Knowledge of threat intelligence, incident response, and compliance frameworks. Excellent communication and problem-solving skills.
-
- Microsoft Sentinel Architect
- United Kingdom
- discussed on applications
-
Microsoft Sentinel Architect We're seeking a talented and experienced Microsoft Sentinel Architect to be responsible for the design, deploy of a new Sentinel solution into an expanding Services business. As a key member of our team, you'll play a vital role in driving security operations and protecting clients' assets. Responsibilities: Solution Design: Develop comprehensive Microsoft Sentinel architectures aligned with our clients' specific needs and industry best practices. Deployment and Configuration: Oversee the deployment and configuration of Sentinel components, including data connectors, analytics rules, and playbooks. Integration: Integrate Sentinel with other security tools and platforms within our MSSP ecosystem. Tuning and Optimization: Continuously monitor and optimize Sentinel performance to ensure maximum effectiveness and efficiency. Training and Mentoring: Mentor junior team members and provide training on Sentinel technologies and best practices. Required Skills and Experience: Proven experience as a Microsoft Sentinel Architect with a deep understanding of its capabilities and limitations. Strong technical skills in Azure, security operations, and data analytics. Experience designing and implementing complex security solutions, into a services environment Knowledge of threat intelligence, incident response, and compliance frameworks. Excellent communication and problem-solving skills.