One month after being hit with a huge fine over a data breach, British Airways has another security hole that could leave customers’ private information exposed to hackers, according to new research.
The problem is with the unencrypted check-in links that the airline emails to its customers, according to cybersecurity firm Wandera, which found the vulnerability. Those links include passenger details in the URL, such as last names and confirmation numbers, to make it easier for people to automatically log into British Airways’ website.
“We started seeing, within the past two to three months, an increase in the number of unencrypted connections that were destined for British Airways domains,” Michael Covington, vice president at Wandera, tells Fortune. “What we found was the info that was leaking, was typically a person’s name and booking reference number.”
Having those two pieces of information are like “having the keys to the kingdom,” Covington says, since it can allow a hacker using public Wi-Fi to intercept the link request and access other personal information included in a booking. Email addresses, telephone numbers, British Airways loyalty program membership numbers, flight times, and seat numbers were among the pieces of data that could be vulnerable. Passport numbers and payment information were not at risk.
Wandera says it contacted British Airways’ data protection officer twice, but did not receive a response. That role is mandated under GDPR, Europe’s tougher privacy law that went into effect last year, to ensure customer data is protected and that breaches are quickly contained and reported. British Airways says it hasn’t seen those emails.
“We take the security of our customers’ data very seriously. Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected,” a British Airways representative tells Fortune. The airline says it has several systems in place that are designed to protect customers’ private information.
British Airways and Wandera say there’s no evidence the flaw has been exploited in the wild. However, Covington says his team estimates that 2.5 million connections were made to the affected British Airways domains over the past six months, showing the potential for mass exploitation.
The report of the vulnerability follows British Airways being slapped with a proposed fine of $221 million by the U.K. Information Commissioner’s Office last month for a breach last year involving the data of 500,000 customers. If the breach had happened before GDPR, the top fine would have merely been $604,000.
In the case of the check-in links, Covington says it’s an easy fix.
“I’m surprised we are seeing this issue now after getting a fine under GDPR,” he says. If British Airways encrypted the links, then he says Wandera, and would-be hackers, wouldn’t be able to pick up on any of the sensitive information in the links.
While it’s nice to not have to log in, Wandera also recommends that customers should be required to log in anytime when their personal information could be accessed and edited.
This story has been updated to include a response from British Airways.
More must-read stories from Fortune:
—What you need to know about 8chan, the controversial site tied to the El Paso shooting
—Verizon’s unlimited plans are getting cheaper. Here’s what you should know
—What CEOs, bankers, and tech execs think about a coming recession
—How an alleged Amazon theft ring got the goods
—Boeing adds a second flight control computer to the 737 Max
Catch up with Data Sheet, Fortune‘s daily digest on the business of tech.
