Written by

Jeff Stone
February 6, 2019 | CYBERSCOOP

According to a study released Wednesday by mobile security company Wandera, at least eight airlines, including Southwest, use electronic ticketing systems that could allow hackers to access sensitive information about travelers simply by intercepting e-mails. -mails.

Systems are failing to secure personally identifiable customer information, including names, boarding cards, passport numbers and flight numbers, Wandera said.

E-mail vulnerabilities still exist, Wandera found, even though researchers informed the companies several weeks ago, and despite growing business awareness of the risks of sacrificing security for convenience .

The weakness is a registration link that is emailed to customers, found Wandera researchers. Customer information is embedded in the links, allowing travelers to go from their email to a website where they register for a flight without having to enter their user name and their name. password. However, the links are not encrypted and can be reused, which is a tempting target for hackers, according to Michael Covington, vice president of products at Wandera.

"The airlines, in order to facilitate the registration of passengers, have taken shortcuts that have led to a potential exposure of personal information," he said.

The airlines involved include Southwest airlines, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, said Wandera. Wandera reported the vulnerability of each company and received responses, although none of them seem to have corrected it, Covington said.

Airlines seem to use unique servers for automated marketing that fail to protect user information.

"It's not just the personal information in which they could enter, but electronic ticketing systems basically allow people to enter without authentication, which would allow you to edit the details of the people, such as the attribution seats and checked baggage, "Covington said. "In some cases, you can modify existing bookings."

There is no evidence that outsiders have exploited the vulnerabilities.

Southwest Airlines is perhaps the best-known low-cost airline operating in the United States, with 5% growth expected in 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged into a single holding company in 2004, jointly form one of the largest airlines in the world. Other companies cited in the report – Vueling, Transavia and Air – are based in Europe. Thomas Cook is a British charter company and Jetstar is a low cost airline in Australia.

CyberScoop solicited feedback from each of the airlines mentioned in this report. Several acknowledged having received a request for comment. All but three did not provide a statement or answer the questions within the time limit.

In a statement, a spokeswoman for Thomas Cook said, "We take the security of our customers' data very seriously and have investigated it as a matter of priority. We reviewed the issues raised and took immediate action to further strengthen the security of our customer data. A Southwest spokesperson said, "Although we have no comment on this, the security and protection of our customers and their privacy is our highest priority. "

A spokeswoman for JetStar said the company took the security and confidentiality of the data "very seriously" and that the airline had "several levels of security".

Air travelers looking for an Internet connection at an airport, hotel or elsewhere during their trip are particularly at risk, as they would be more likely to connect to public WiFi, thereby ignoring security measures, Covington said.

"If you use a Wi-Fi or physical network that uses encryption, it will not be a problem," he said.

"I can not speak individually for the airlines," he said. "We are not a vulnerability testing company and it is not up to us to look for and find this. But I can tell you that the airlines we talked to were very attentive and willing to hear more. "