Links received by British Airways customers through email that allow users to check-in to their flights are being sent unencrypted. “In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” stated researchers. Since the information is unencrypted, any user on the same network can find information on other passengers and potentially alter booking information. Information that could possibly be accessed includes passengers’ names, email addresses, phone numbers, membership numbers, booking reference numbers, itineraries, flight numbers, flight times, and seat numbers. The flaw was initially discovered in July and reported to British Airways shortly after, and at the time of this report, it had not yet been fixed. A British Airways spokesperson said “We take the security of our customers’ data very seriously. Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.” It was also confirmed that none of the information had been accessed illegally.
Until the flaw is fixed, users should consider opting out of the email check-in option and do it manually when they arrive at the airport. If a user still decides to use the email check-in link, they should do so on Wi-Fi that is private and secure. Any use of public Wi-Fi comes with security concerns and could allow an attacker to view the traffic and steal the information.