07:17 GMT14 June 2021
Listen Live
    Get short URL
    0 32

    Millions of credit card numbers and flight data belonging to airline passengers have been vulnerable and easy to access since 2011 due to online security gaps revealed at Germany's largest wholesale ticket dealer.

    The personal data of millions of travelers including the itineraries, names and addresses as well as payment information has been accessible online for years.

    In the wake of a series of terror attacks across Germany this latest security breach has been revealed at a difficult time and was reported by Sueddeutsche Zeitung on Monday.

    No sophisticated IT skills were needed to retrieve the data and it could be accessed with minimal effort, according to Sueddeutsche Zeitung.

    ​According to an investigation by the newspaper, the data vulnerability was down to huge security gaps in the computer systems of Berlin-based airline ticket wholesaler Aerticket. The company provides tickets for thousands of corporate clients, including German travel agencies, online booking portals and ticket search engines.

    Aerticket AG is the largest independent airline ticket wholesaler in Germany. Such companies serve as intermediaries between airlines and travel agencies or booking portals, as issuing tickets normally requires a costly license from the International Air Transport Association (IATA).

    Booking a flight on one of Aerticket's partners included receiving an email with a link to retrieve and download a passenger's itinerary receipt, Sueddeutsche Zeitung wrote. Every link to an itinerary receipt ended with an eight-digit number, but the company's failure was that the documents were not protected.

    ​The eight digits at the end of each link could be changed manually by anyone, allowing the possibility of a user to jump to other travelers' tickets, invoices, routes and credit card numbers. 

    While other flight portals use randomly generated codes that include numbers and letters, that was not the case at Aerticket, the newspaper reported.

    The files were accessible and contained passengers' names and addresses, departure airports, airline names as well as prices at which tickets were booked. In some cases, even passenger dates of births were available.

    Aerticket responded quickly to the newspaper report and eliminated the vulnerability within hours. The company also admitted the gap had existed since 2011 with some 1.5 million bookings made since then.

    The company said the security gap was not exploited by criminals, but Berlin data protection authorities said they will investigate the case, a process that may take up to several months.

    Around 14,500 corporate customers in Germany work with Aerticket but European passengers' data could have been accessible as well. German travel portal flight24.de, also an Aerticket customer, had national websites in Austria, the UK, the Netherlands, France, Italy and Spain.


    European Commission Welcomes Adoption of Passenger Name Records Directive
    EU Passenger Name Records Directive Meets UK Requirements
    France Calls for End to Passenger Data Standoff After Brussels Bombings
    FBI Warnings Expose Further Failures in European Terror Intel Agencies
    MEPs Approve Passenger Name Record Scheme Despite Human Rights Fears
    passenger plane, data, personal information, flights, airline, tickets, security, Aerticket, Germany, Europe
    Community standardsDiscussion