[BreachExchange] United Airlines’ website bug exposed traveler ticket data

[Destry Winant]

https://techcrunch.com/2020/09/10/united-website-bug-tickets/

A bug in United Airlines’  website let anyone access the ticket
information for travelers who requested a refund.

The airline’s website lets users check their refund status by entering
their ticket number and last name. But the website wasn’t validating
the last name, making it possible to access other travelers’ refund
information by changing the ticket number.

IT security expert Oliver Linow, who found the bug, told TechCrunch
that he could see traveler surnames, the payment type and currency
used to buy the ticket, and the refund amount.

United, like most other airlines, lets passengers access and modify
their upcoming flights using only a passenger’s ticket number and last
name.

Linow reported the issue to United on July 6. It took the airline a
month to fix. But Linow did not hear back again from the airline.

It’s not known how long the bug was present. United did not respond to
our emails with questions about whether the airline informed data
protection authorities about the incident.

Companies found in violation of European data protection rules can be
fined up to 4% of their annual revenue.

Airlines have withheld billions of dollars‘ worth of refunds during
the pandemic amid a sharp decline in passenger numbers. United later
received a $5 billion share of a $25 billion U.S. federal aid package
aimed at keeping the airline industry afloat.

Earlier this month, United said it would furlough about 20% of its
staff — some 16,370 employees.