United Airlines has corrected a flaw in its website that was compromising the privacy of thousands of passengers. The flaw allowed other people to access a passenger’s refund information. The viewable information did not include credit card data. But the flaw saw the passenger’s name, how the ticket got paid for, in what currency, and the refund amount displayed.
Up to 100,000 passengers may have had sensitive information exposed
Zack Whittaker broke the story in TechCrunch yesterday. The flaw was affecting the website’s page where passengers checked their refund status. Usually, United Airlines needs you to punch in your surname and ticket number. But, for some time, the website was not verifying the surname, bringing up a passenger’s data based only on the ticket number.
Were you so inclined, you could punch in random ticket numbers within United’s ticket number parameters and potentially access other people’s information.
TechCrunch reported a Deutsche Welle employee named Oliver Linow discovered the flaw. Mr Linow works in IT security at the German broadcaster. He notified United Airlines about the flaw in July. The airline then took a month to sort the issue. It is unknown whether the flaw affected United Airlines’ websites globally or only specific regions.
I found this bug in United Airlines website in July. I guess there were up to 100,000 records available, maybe even more. @chaosupdates https://t.co/MCXcxDSH4E
— Oliver Linow (@OliverLinow) September 10, 2020
An estimated 100,000 passenger refund records were viewable. As credit card data was not viewable, United Airlines says no super-sensitive information was available.
“We are not aware of any sensitive customer data that was exposed or accessed,” the airline said in a statement seen by Simple Flying.
“United Airlines is committed to protecting our customers’ data and resolved this issue after it got brought to our attention.
“We will continue to collaborate with cybersecurity researchers to stay ahead of any potential vulnerabilities within our digital channels.”
Airline industry deploys a range of tactics to keep your cash
Refund volumes are up at United Airlines, as at other airlines. Amid the ongoing travel downturn, passengers are canceling flights and wanting refunds rather than rebooking forward travel.
It’s proving a considerable expense for United Airlines. The airline is already seeing cash outflows of approximately US$5 billion a month. Compounding this is an expected 85% drop in passenger revenue at United Airlines this quarter.
The Wall Street Journal reports travel agents around the United States have already processed over US$1 billion in refunds. That’s before airlines process refunds on tickets booked directly.
While not alone, United Airlines has fought hard to retain as much cash as possible. As a result, the airline deployed a range of tactics to delay refunds or circumvent offering them.
While the rules vary by jurisdiction, in the United States, an airline is obliged to offer a refund if a flight gets canceled, and there are no suitable alternative flights. But airlines are doing their best to persuade customers to accept travel vouchers. That way, the airline gets to keep the cash.
If passengers do insist on refunds, lengthy processing delays have become the norm. As a result, more passengers than usual risked having their privacy compromised with this flaw.
This incident is not the first data breach in the airline industry, and it won’t be the last. But the sheer volume of passengers impacted does draw attention to the problem of refunds. Today, it’s United’s bad luck that they are in the firing line.