Not even a week goes by since we’ve covered the top 10 data breaches and leaks of 2018, and then this happens…

Serving half the world’s flight information on a platter

Amadeus is a leading flight reservation system that processes the bookings of major airlines including British Airways, Air France, United Airlines, and a host of others. Simply put, any time approx. 44% of the world’s airline passengers book their flights online, their reservations are processed by the company, which then provides them (and the airlines themselves) with a booking reference, known as the passenger name record (PNR).

Now, what if we told you that all it takes to access and change the information of your reservation is to click the link to that reference and change a single line of code?


Yes, that’s exactly what it takes, as hacker and activist Noam Rotem discovered when reserving a flight through El Al, Israel’s national airline. After receiving a buggy link with his PNR, Rotem learned that by changing a line of code he was granted permission to see “any PNR and access the customer name and associated flight details.”

Rotem then proceeded to use these to sign in to El Al’s Customer Portal, where he was able to have his way with anyone’s anything – from claiming frequent flyer miles, assigning “seats and meals,” to having complete control over the passenger’s personal information and access to customer service in their name.

What’s more, to Rotem’s surprise, the Amadeus security flaw extended to all “141 airlines using the Amadeus system.” Thankfully, after Rotem reported the flaw to the company, this Amadeus breach now seems to have been closed.

Institutional negligence

This is not the first time such a security vulnerability has been discovered, but it seems that online booking giants like Amadeus are just too big to learn.

Admittedly, fixing the problem would entail introducing additional protections such as request limits and captchas, or better yet, doing away with the PNR system entirely and replacing it with something less exploitable. This, of course, would require a lot of work from a lot of companies, since the current booking system is incredibly pervasive.

Until that happens, however, similar breaches are bound to happen time and again.

How many were (potentially) affected?

In their own words, Amadeus provides travel agents with “access to the widest choice of travel providers, including 95% of the world’s scheduled airline seats.” In 2016 alone, the system “processed 595 million bookings and boarded 1382 million passengers.” Let that sink in.

Although it’s unclear if anyone else besides Rotem has tried to exploit this Amadeus flaw, the potential number of people at risk is mind-boggling. However, until (and if) Amadeus find out and disclose the actual numbers, there’s simply no way to know.

What should you do?

Considering the Amadeus security flaw has been “fixed,” and as of yet there’s no evidence that anyone’s been affected, there’s actually not much you can do at the moment. At least regarding the Amadeus incident, your best bet is to hope you haven’t been had.

In the meantime, make sure you’ve got your every other cybersecurity corner covered – because lately, it seems that major online vulnerabilities, leaks, and breaches tend to be discovered on a monthly (if not weekly) basis. And the first step of ensuring your security on the internet is securing your internet connection with a reliable VPN service.