In a much-publicised instance,in 2020,former prime minister Tony Abbottsnapped a photo of his boarding pass for a Qantas flight from Tokyo to Sydney and posted it to Instagram. Using Abbott’s booking reference and surname,hacker Alex Hope went to the “Manage booking” section on the Qantas website and,without too much difficulty,unzipped Abbott’s passport number,phone number,seat preference and staff comments regarding the former PM. Hope had no ill intent,and the only damage was a new passport for Abbott,but it could have been worse.
The airlines you fly with know a lot about you. Your name,date of birth,your passport number if you fly internationally,email address,phone number and credit card details. In the wrong hands,that data becomes part of a bigger picture about you that can be used to scam your credit card,plant malware in your computer or even steal your identity and transfer funds from your accounts to theirs.
In 2016,in a live demonstration at Europe’s annual Chaos Communication Congress,Karsten Nohl,chief executive of Berlin’s Security Research Labs,demonstrated how using nothing more than the barcode on your boarding pass a hacker could access your personal information,alter your coming flights to another passenger’s name,break into your frequent flyer account,steal your airline points and find out your address and travel dates.
Those last details are solid gold for an old-fashioned thief who might want to break into your home during your absence. Even a discarded boarding pass can become a handy tool for anyone looking to prise open your airline account and make use of whatever data they can extract.
Loading
That congress was back in the Pleistocene era in cybersecurity terms. Meanwhile,quite a few airlines have tightened security protocols. Singapore Airlines is one such airline. The carrier was scalded in a 2021 data breach when servers belonging to global information technology company SITA were hacked. The hack uncovered the names,addresses,frequent flyer numbers and status level of some 580,000 KrisFlyer members,although no passwords or email addresses were stolen.
American Airlines suffered a cyber-attack in 2022 that unveiled some passengers’ names,email addresses,passport numbers,date of birth,driver’s licence numbers,mailing addresses,phone numbers and medical information.
Since then,Southwest Airlines,American Airlines (again),Air Canada and Air Europe have all suffered data breaches,often when unsuspecting employees clicked on phishing emails that installed malware in their computer systems,offering a keyhole to hackers. At least the hatch has been tightened on frequent flyer accounts,with many airlines now requiring two-factor ID to access accounts.