- A security flaw on United Airlines’ website allowed users to see other traveller’s ticket information, according to a report from TechCrunch.
- The flaw, on the page that lets users check the status of refunds, was found by an IT researcher who estimates that 100,000 users’ records were visible.
- United said that no sensitive user information was accessed improperly.
- Visit Business Insider’s homepage for more stories.
A security flaw in United Airlines’ website may have exposed ticket information for customers who requested a refund, according to a new report from TechCrunch.
The bug caused the website to not validate a user’s last name when checking their refund status. That made it possible to access other travellers’ refund information simply by changing the ticket number, TechCrunch reported.
Like many airlines, United’s website allows users to check their refund status by entering their ticket number and last name. It was not immediately clear whether another user’s information could be viewed without knowing their full ticket number.
IT security expert Oliver Linow discovered the bug and told TechCrunch that the security hole allowed him to see traveller names, payment type, currency used, and the refund amount.
Linow said that he reported the bug to United in July, and that it took the airline more than a month to fix it. He tweeted that he estimates that 100,000 user records were visible, possibly more.
Companies doing business in the European Union are subject to steep fines for failing to protect user privacy â€” it was not clear whether the bug affected European versions of United’s site, nor whether the bug was something that could subject United to penalties.
A spokesperson for United told Business Insider that the airline did not believe that any sensitive customer information was affected.
“We are committed to protecting our customers’ data and resolved this issue after it was brought to our attention,” the spokesperson said in a statement. “We are not aware of any sensitive customer data that was exposed or accessed and will continue to collaborate with cyber security researchers to stay ahead of any potential vulnerabilities within our digital channels.”
Airlines have been inundated with refund requests during the coronavirus pandemic as travellers cancel preexisting plans due to border closures, quarantine requirements, or safety concerns.
However, airlines have been slow to issue refunds as they work to manage cash flow during the crisis, prompting the Department of Transportation to warn airlines about complying with cancellation rules.
Business Insider Emails & Alerts
Site highlights each day to your inbox.