Scammers could steal British Airways passengers’ personal information through the email check-in link


SECURITY experts have warned British Airways that their passenger’s personal information could be stolen by hackers if checking in through their emails after finding a potential vulnerability.

Experts at Wandera discovered the potential threat on the e-ticketing system which is used by the airline.

British Airways passengers could face a potential data breach when checking in
British Airways passengers could face a potential data breach when checking in

The e-mail sent to passengers asking them to check in was “vulnerable” according to the report.

This is because the URL which logs the passenger in automatically includes the booking reference and surname of the passenger, making it open to being targeted by scammers.

As the link is not encrypted, this could result in the link being accessed by a secondary user if sharing the same WiFi network, such as when using a public hotspot.

Potential details which could then be stolen include email addresses, phone numbers, and itineraries.

With email URLs not encrypted, hackers could intercept private data
With email URLs not encrypted, hackers could intercept private data
Getty – Contributor

This could cause problems for the passenger regarding the safety of their personal information and even lead to their flight being changed or cancelled by the hacker.

Wandera alerted British Airways to the vulnerable link.

There have not been any recent reported cases of passengers having had their information stolen.

It isn’t the first time the vulnerability, which was discovered in July, has been found.

In February, a similar problem was discovered with airlines including Thomas Cook, Air France and Vueling who were all advised to make changes to keep it secure.

WIFI BANDITS How hackers are stealing holidaymaker’s personal data by infiltrating phones through fake hotel WiFi

The report explained: “Once the vulnerable check-in link is accessed by the passenger, a hacker can easily intercept the credentials that allow access to the e-ticketing system, which contains all of the personally identifiable information (PII) associated with the airline booking.”

Nabil Hannan, managing principal at Synopsys, commented: “The confirmation number is something that users need to realise is actually private data.

“This situation illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing.

“In other words, there isn’t necessarily a security bug, but rather a security design flaw.”

Israel Barak, chief information security officer at Cybereason, added: “For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over.”

Wandera advise airlines to not only encrypt the check-in process, but to also use one-time use tokens in the email links to prevent the potential hack.

However, users can also defend themselves using mobile security services to block any data attacks or leaks while using their phone.

A British Airways spokesperson told Sun Online Travel: “Like other airlines, we are aware of this potential issue.

How to prevent your phone being hacked

To keep your mobile phone safe from hackers, there are a number of things to do:

  • Avoid public WiFi – this can easily be accessed by secondary users if sharing the same network
  • Use security apps – antivirus and added security systems can prevent malware and bugs being uploaded to your phone
  • Turn off autocomplete – if the phone is hacked, removing any automatic personal information such as addresses and credit cards can stop them being stolen

“No passport or payment information can be accessed without further authentication and there is absolutely no evidence of any attempt to take any customer information.”

In January, a ticket booking platform breach meant passengers on more than 100 airlines could have had their data hacked.

Airlines such as British Airways, Lufthansa and Qantas were all at risk after Safety Detective Research Lab found the Amadeaus booking platform to be vulnerable.


Please enter your comment!
Please enter your name here