In the modern era of technology, convenience and efficiency have become paramount, especially when it comes to travel arrangements. With the ease of online booking, sharing airline booking numbers and last names has become common practice, but what may seem like an innocuous act unfortunately can actually lead to a severe security vulnerability that still needs addressing.
Airline booking numbers, often referred to as Passenger Name Records (PNR), are unique identifiers assigned to each flight reservation. These alphanumeric codes, along with the traveler’s last name, are routinely shared through various means, such as email invitations, shared calendars, and messages with friends or colleagues.
Most people are unaware of the potential risks associated with sharing this sensitive information, but in this blog, we’ll explore this unsettling security issue surrounding airline booking numbers and the lack of authentication that allows unauthorized individuals to make changes to your flights — something that could lead to potential disruptions of your life and even financial losses.
How Airline Booking Numbers Can Be a Gateway To Unauthorized Flight Modifications
These consequences are not hypothetical — I’ve personally witnessed them within my own family.
It was a beautiful summer day in Seattle when I found myself visiting my sister’s cozy home for a much-awaited family reunion. Though we were all excited to spend time together, as I stepped into her living room, my sister greeted me with a slightly troubled expression on her face.
“You won’t believe what I just did,” she exclaimed, looking a bit flustered. When I asked what had happened, she began to narrate the incident with a sigh.
Earlier that day, she’d decided to make a minor modification to her upcoming flight with British Airways, and like many others, she turned to the internet for the airline’s contact details. She landed on what she thought was British Airways’ official website and quickly found a toll-free 800 number — without pausing to double-check the website’s authenticity, she dialed it and was greeted by a pleasant voice claiming to be a representative from British Airways.
Oblivious to the potential danger that lurked ahead, she proceeded with her intention to modify. The “representative” asked for her booking number, her last name, and then the shocking request for her credit card information.
“That’s when I started feeling something was off,” she confessed. “I mean, why would they need my credit card details to make a simple flight change?”
Listening to her story, I immediately sensed the gravity of the situation. It was evident that she had stumbled upon an imposter posing as British Airways’ customer service, though she’d been lucky — having realized that she might be caught in a potential scam, she wisely hung up the phone before any further damage could be done.
However, the story didn’t end there. The scammer on the other end, displeased with her decision to terminate the call, took spiteful action. Without a second thought, they maliciously canceled her non-refundable ticket to Europe, leaving her distressed and baffled. She promptly contacted British Airways’ official customer service, and to her surprise, they informed her that the cancellation had been done online, and she had initiated it herself.
“That’s impossible,” she argued. “I didn’t cancel it!”
As no one else in her household had access to her personal information, it became clear that someone else had manipulated her booking and caused the cancellation. As we delved deeper into the situation, it dawned on us that her personal information must have been compromised during that seemingly innocent phone call to the fake customer service number — the imposter had cleverly gathered the necessary details to access her account on the official website and make the sinister alteration.
The Potential Consequences of Security Flaws in the Airline Industry
My sister’s unfortunate experience not only served as a cautionary tale but also got me thinking about the larger security issue that travelers face due to the lack of proper authentication methods employed by airlines.
While my sister was lucky to escape worse consequences, that lack of robust authentication in the airline industry allowed someone with malicious intentions to easily exploit what they did manage to gather from her, leading to unauthorized access and unauthorized changes to her flight.
It’s a significant security flaw that, by obtaining your booking number and last name, malicious actors can gain the power to manipulate your travel plans without your knowledge or consent — what’s worse is that this also opens the door to a range of other unsettling possibilities:
• Flight Changes: Unscrupulous individuals can modify your flight details, altering the date, time, or destination without your knowledge — imagine arriving at the airport only to find out your flight has been rescheduled, causing undue stress and inconvenience.
• Flight Cancellations: In a worse scenario, hackers can cancel your flight altogether. This could lead to missed events, important meetings, or once-in-a-lifetime opportunities.
• Identity Theft: Airline booking numbers, when combined with personal information, can be exploited to commit identity theft, leading to more severe consequences beyond flight modifications.
• Financial Loss: Unauthorized modifications can result in extra fees, penalties, or the loss of non-refundable tickets, leaving travelers with a financial burden they did not anticipate.
How to Improve Cybersecurity in the Airline Industry
To protect their customers’ sensitive information and provide peace of mind to travelers, the airline industry must acknowledge and address this glaring security issue — here are some baseline (yet essential) steps that airlines and booking platforms should implement to get started:
• Two-Factor Authentication: Implementing two-factor authentication (2FA) would add an additional layer of security, requiring users to verify their identity through a second method such as a one-time code sent to their mobile device.
• Encryption and Tokenization: Robust encryption and tokenization techniques can help safeguard sensitive data like booking numbers and personal details from unauthorized access.
• User Education: Airlines should boost awareness among travelers regarding the potential risks associated with sharing booking numbers and last names — and thereby promote responsible sharing practices.
• Regular Security Audits: Conducting routine security audits and vulnerability assessments will help identify and rectify potential weaknesses in the booking systems.
Security Standards Suitable for the Airline Industry
Regarding the final point about audits, there are a few standards that can help airlines and booking services shore up this security flaw, as well as other vulnerabilities that may be lurking in industry cyber defenses:
• NIST Cybersecurity Framework (CSF): A set of guidelines and best practices designed to measure and track maturity as an organization grows and its threat landscape evolves; implementing and being assessed against the NIST CSF can improve your critical infrastructure so that you can better manage and reduce cybersecurity risk.
• PCI DSS: Whereas the NIST CSF takes a broader scope of your cybersecurity, PCI DSS concerns itself particularly with the controls you have in place to protect payment card data and its environment from unauthorized access or use, of which multi-factor authentication and encryption are requirements.
The airline industry is not unique in facing cyber threats, and these standards — and the third-party assessments that independently validate the efforts they require would be worth the investment as threats continue to grow more sophisticated across all sectors.
Moving Toward More Secure Air Travel
The ease with which airline booking numbers and last names are shared presents a serious security concern that must not be overlooked. As passengers, we must be vigilant and mindful of where and with whom we share our booking details, but airlines must also prioritize the implementation of robust security mechanisms to safeguard their customers and preserve the integrity of the travel experience.
Through the implementation of adequate authentication measures validated thoroughly by regular security audits, travelers will become less vulnerable to unauthorized flight modifications, cancellations, and potential identity theft, just as the airlines themselves will become less likely to suffer the negative consequences associated with customer dissatisfaction.
By raising awareness and taking necessary precautions, we can collectively ensure safer and more secure travels in the digital age.
About the Author
Avani Desai is a chief executive officer at Schellman, the largest niche cybersecurity assessment firm in the world that focuses on technology assessments. Ms. Desai is an accomplished executive with domestic and international experience in information security, operations, P&L, oversight, and marketing involving both start-up and growth organizations. She is a sought-after speaker as a voice on topics such as security, privacy, information security, future technology trends, and the expansion of young women involved in technology.