A bug on the United Airlines website allows anyone to access ticket information for travelers who have requested a refund.
On the airline’s website, users can check the return status of their ticket by entering the ticket number and last name. But the website did not check the last name, which made it possible to access refund information for other travelers by changing the ticket number.
IT security expert Oliver Linow, who discovered the bug, told TechCrunch that he can see the names of travelers, the means of payment and the currency used to buy the ticket, as well as the amount of the refund. More than 100,000 such records with customer data were available.
United, like most other airlines, allows passengers to access and change their upcoming flights using just the ticket number and last name of the passenger. Thus, anyone could, knowing the ticket number, change the information about someone else’s flight.
Linov reported the issue to United on 6 July. It took the airline a month to fix. But Linov received no further response from the airline.
It is not known how long the bug has existed. United did not respond to any emails asking whether the airline had reported the incident to data protection authorities.
Companies that violate European data protection regulations can be fined up to 4% of their annual income.
During the pandemic, airlines withheld billions of dollars in refunds amid a sharp decline in passenger numbers. United later received a $ 5 billion share of a $25 billion US federal aid package aimed at keeping the airliner afloat.
Earlier this month, United said it would lay off about 20% of its workforce – about 16,370 employees.