WestJet reports disclosure of guest information (opens in new tab)

(westjet2.mediaroom.com)

26 pointsFlott8y ago4 comments

4 comments

4 comments · 1 top-level

tyingq8y ago· 3 in thread

If this means someone is now generally targeting airlines with hacks, it may be a rough ride. Airlines have been using tech for a long time, so their websites are generally an entry point to a mess of legacy integration. And you only have to hack a couple of airlines to get lots of people's data. We're close to a billion passengers flown per year in the US across all airlines.

Also interesting in this context: https://www.rsaconference.com/writable/presentations/file_up... "WestJet’s Security Architecture Made Simple We Finally Got It Right (2015)"

uiri8y ago

The security picture is much much worse than what you suggest. There are only a few global distribution systems; mainly Amadeus and Sabre. These are used by airlines to share passenger name records which include all the personal data collected by the airline and booking agent. If Amadeus or Sabre have their security breached, everyone who travels by air is hosed.

Since these systems are anywhere from 30 to 50 years old, they have little concept of security. Your confirmation/reservation/booking number typically serves the function of your password for the booking. With that, plus say, your last name and maybe your date of travel, it is possible to get full access to the booking.

See this talk for more information: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

tyingq8y ago

"The security picture is much much worse than what you suggest"

Er, okay. Where did I suggest it was rosy?

"mainly Amadeus and Sabre"

Travelport as well, their marketshare is similar to Sabre. Also, the GDS part is interesting, but there are lots of other peripheral systems for things like loyalty programs, gift cards, apis fronting the GDS, etc. All with legacy. It's not really the old TPF platforms themselves that are the problem. It's the sprawl of lots of legacy.

Edit: Also, that presentation. It does bring up a real industry problem, but it also exaggerates for effect. Most airlines, for example, ask not just for last-name/pnr-locator. They ask for first/last/pnr-locator. And, what you can do with that is generally somewhat limited (checkin/change/cancel)...you can't, for example, login as the passenger and see/use frequent flyer points, stored credit cards, and so on. And, the best source to get this info is discarded, already flown, boarding passes, which kills those three possibilities. They also use a genuinely bad example from Oman Air, but then act like all airlines use a similar pattern...they don't. Not discounting that there's a big issue, but the presenters do use a certain style to promote their work.

adamiscool88y ago

And a division of Sabre was breached earlier this year too. [1]

[1] https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-h...

j / k navigate · click thread line to collapse