• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’

2

U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war

3

Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google

1

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’

2

U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war

3

Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google
Tech

Flight Booking Systems Lack Basic Privacy Safeguards, Researchers Say

By
Reuters
Reuters
Down Arrow Button Icon
By
Reuters
Reuters
Down Arrow Button Icon
December 27, 2016, 1:19 PM ET
Operations At San Diego International Airport
An Alaska Airlines airplane takes off at San Diego International Airport in San Diego, California, U.S. on Thursday, Sept. 19, 2013. Airlines must reconsider buying new or used aircraft as rising interest rates increase ownership costs, which could outweigh fuel savings at lower prices. Photographer: Sam Hodgson/Bloomberg via Getty ImagesPhotograph by Sam Hodgson — Bloomberg via Getty Images
Add Fortune on Google for similar content.

Major travel booking systems lack a proper way to authenticate air travelers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned on Tuesday.

Passenger Name Records (PNR) are used to store reservations with links to a traveller’s name, travel dates, itinerary, ticket details, phone and email contacts, travel agent, credit card numbers, seat number and baggage information.

The six-digit codes act as pincodes for locating travel records, albeit with vital differences that make them highly insecure compared with even the simple usernames and passwords that consumers use to access email or websites, the researchers said.

The world’s three major global distribution systems (GDS) – Amadeus, Sabre and Travelport – manage a majority of travel reservations but face growing competition from airlines and corporate travel and online booking sites.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” researchers at Berlin-based Security Research Labs said in a statement.

Multi-factor authentication works when users offer separate pieces of evidence of their identity such as something they know, like a password, pincode or security question, and something they possess, like a bankcard or a phone linked to them.

With just a passenger’s last name, the researchers were able to use computer guess work to find associated booking codes within hours and thereby gain access to travel records.

“Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” said SRLabs’ Karsten Nohl, who, with co-author Nemanja Nikodijevic, will detail their research this week at the Chaos Communications Congress, Europe’s biggest annual event on hacking.

Nohl has previously exposed major security threats in phones, cars, payment terminals and data storage devices.

Security Research Labs acts as a security consultant to major global clients, including banks.

Two of the three big booking systems – Amadeus and Travelport – assign booking codes sequentially, making brute-force computer guesswork easier. Of the three, Amadeus, through its web portal CheckMyTrip, is especially vulnerable, Nohl said.

“Amadeus is assessing the findings of SR Labs on travel industry security,” a company spokeswoman told Reuters.

“We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems,” she said, referring to airlines and other travel industry partners.

“As a matter of course Amadeus does protect its systems, including Check My Trip, from the type of automated robotic attacks outlined in this report.”

Sabre told Reuters: “We have numerous layers of security in place. Discussing how we maintain security and the privacy of travellers undermines those safeguards and the security of our systems.”

Travelport did not respond to a request for comment.

LONG-KNOWN VULNERABILITIES

Travellers will never know who accessed their information, because PNR data is not logged, the researchers said. Users have no option to secure these codes themselves because the credentials are arbitrarily assigned by airlines using the booking systems.

The researchers call for the airlines to adopt modern safeguards against brute force attacks such as limiting the number of PNR requests per Internet address and offer passengers a changeable password as minimal protections against such attacks.

Nohl said the vulnerabilities he found with travel databases are not new. They have been described, conceptually, by San Francisco-based travel privacy campaigner Edward Hasbrouck, who has waged a sometimes lonely campaign to expose them for years.

For more about travel, watch:

Hasbrouck, author of the 2001 traveller’s rights book The Practical Nomad Guide to the Online Travel Marketplace, said that since the 9/11 airline attacks on U.S. cities, industry and public attention has focused on government access to travel data to insure flight safety instead of such data’s commercial abuse.

Fifteen years ago, he warned: “Privacy is the Achilles’ heel of Internet travel planning”.

Hasbrouck said the SRL research vindicates his arguments.

“If the data protection laws that have been in effect since the early 1990s in the EU and Canada had been enforced, (travel systems) would have been required to make changes that would have significantly reduced some of the vulnerabilities… and that SRLabs has now demonstrated can be exploited,” he said.

About the Author
By Reuters
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

The Netflix logo is displayed on a smartphone screen featuring a color gradient in the background.
Big TechCFO Daily
Netflix stock hits a 52-week low after earnings—but analysts say investors are missing the bigger picture
By Sheryl EstradaJuly 17, 2026
2 hours ago
Esther Perel speaks on stage during a panel discussion at SXSW in London.
Workplace Culturecorporate culture
Esther Perel has a warning for executives: your workforce is suffering from social atrophy and AI is making it worse 
By Sam BirchallJuly 17, 2026
3 hours ago
shelton
Commentarydisruption
Former Obama official on AI anxiety and the depression nobody remembers — and the training model that gives him hope
By Jim SheltonJuly 17, 2026
3 hours ago
Suno Ai on a phone screen with Warner Music Group's logo in the background.
Startups & VentureTerm Sheet
The VC betting $5.4 billion that Suno’s copyright wars won’t matter
By Lily Mae LazarusJuly 17, 2026
3 hours ago
European Commission President Ursula von der Leyen in Brussels on July 13, 2026. (Photo: John Thys/AFP/Getty Images)
NewslettersFortune Tech
Europe has two new rules for Google that will change the way AI assistants work on Android devices
By Andrew NuscaJuly 17, 2026
4 hours ago
Chesky
InvestingMarkets
Tech stocks lead steep global sell-off as investors lose faith in AI chip trade
By Jim EdwardsJuly 17, 2026
5 hours ago

Most Popular

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’
C-Suite
FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’
By Fortune EditorsJuly 15, 2026
2 days ago
U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war
Economy
U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war
By Sasha RogelbergJuly 17, 2026
8 hours ago
Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google
Big Tech
Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google
By Mia OsmonbekovJuly 16, 2026
20 hours ago
Trump's 'American Flag Blue' in the Lincoln Memorial pool is already gray — and the Olympic canoer 'vandal' is fighting his arrest
Politics
Trump's 'American Flag Blue' in the Lincoln Memorial pool is already gray — and the Olympic canoer 'vandal' is fighting his arrest
By Matthew Daly and The Associated PressJuly 16, 2026
1 day ago
26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave
Law
26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave
By Barbara Ortutay, Alexandra Olson and The Associated PressJuly 15, 2026
2 days ago
JPMorgan CEO Jamie Dimon says 300,000 workers are needed to rebuild American shipbuilding—with jobs paying $100,000 without a college degree
Success
JPMorgan CEO Jamie Dimon says 300,000 workers are needed to rebuild American shipbuilding—with jobs paying $100,000 without a college degree
By Preston ForeJuly 16, 2026
1 day ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.