The personal data of millions of travelers including the itineraries, names and addresses as well as payment information has been accessible online for years.
In the wake of a series of terror attacks across Germany this latest security breach has been revealed at a difficult time and was reported by Sueddeutsche Zeitung on Monday.
No sophisticated IT skills were needed to retrieve the data and it could be accessed with minimal effort, according to Sueddeutsche Zeitung.
According to an investigation by the newspaper, the data vulnerability was down to huge security gaps in the computer systems of Berlin-based airline ticket wholesaler Aerticket. The company provides tickets for thousands of corporate clients, including German travel agencies, online booking portals and ticket search engines.
Aerticket AG is the largest independent airline ticket wholesaler in Germany. Such companies serve as intermediaries between airlines and travel agencies or booking portals, as issuing tickets normally requires a costly license from the International Air Transport Association (IATA).
Booking a flight on one of Aerticket's partners included receiving an email with a link to retrieve and download a passenger's itinerary receipt, Sueddeutsche Zeitung wrote. Every link to an itinerary receipt ended with an eight-digit number, but the company's failure was that the documents were not protected.
Merkel doubles down on her vow of "we can do this," re integration, stressing Germany will do all needed to balance security & freedom— Melissa Eddy (@meddynyt) July 28, 2016
The eight digits at the end of each link could be changed manually by anyone, allowing the possibility of a user to jump to other travelers' tickets, invoices, routes and credit card numbers.
While other flight portals use randomly generated codes that include numbers and letters, that was not the case at Aerticket, the newspaper reported.
The files were accessible and contained passengers' names and addresses, departure airports, airline names as well as prices at which tickets were booked. In some cases, even passenger dates of births were available.
Aerticket responded quickly to the newspaper report and eliminated the vulnerability within hours. The company also admitted the gap had existed since 2011 with some 1.5 million bookings made since then.
The company said the security gap was not exploited by criminals, but Berlin data protection authorities said they will investigate the case, a process that may take up to several months.
Around 14,500 corporate customers in Germany work with Aerticket but European passengers' data could have been accessible as well. German travel portal flight24.de, also an Aerticket customer, had national websites in Austria, the UK, the Netherlands, France, Italy and Spain.