BreachExchange mailing list archives
United Airlines’ website bug exposed traveler ticket data
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 11 Sep 2020 08:58:45 -0500
https://techcrunch.com/2020/09/10/united-website-bug-tickets/ A bug in United Airlines’ website let anyone access the ticket information for travelers who requested a refund. The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number. IT security expert Oliver Linow, who found the bug, told TechCrunch that he could see traveler surnames, the payment type and currency used to buy the ticket, and the refund amount. United, like most other airlines, lets passengers access and modify their upcoming flights using only a passenger’s ticket number and last name. Linow reported the issue to United on July 6. It took the airline a month to fix. But Linow did not hear back again from the airline. It’s not known how long the bug was present. United did not respond to our emails with questions about whether the airline informed data protection authorities about the incident. Companies found in violation of European data protection rules can be fined up to 4% of their annual revenue. Airlines have withheld billions of dollars‘ worth of refunds during the pandemic amid a sharp decline in passenger numbers. United later received a $5 billion share of a $25 billion U.S. federal aid package aimed at keeping the airline industry afloat. Earlier this month, United said it would furlough about 20% of its staff — some 16,370 employees. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- United Airlines’ website bug exposed traveler ticket data Destry Winant (Sep 11)