Thomas Cook vulnerability potentially exposed personal data of 'hundreds of thousands' of fliers

Airline denies customers are at risk, refuses to report breach

A security researcher in Norway has discovered a major vulnerability in Thomas Cook Airlines' booking system, which could have exposed personal information including names, email addresses and flight details to third parties.

Roy Solberg found that it was possible to retrieve the data using just a booking reference number, after booking a flight through travel agency Ving (owned by Thomas Cook).

Ving assigns incremental booking reference numbers to its customers (i.e, 101, 102, 103), making it relatively easy to view other customers' details using the exploit.

Solberg said that he was able to access flight details from as far back as 2013 and into 2019, meaning that potentially hundreds of thousands of bookings were compromised.

Despite that, Thomas Cook has said that an internal assessment has determined that the sensitivity of the data did not pass its threshold for reporting the case to data protection authorities.

The company says that only its Nordics division was affected by the vulnerability, which has since been fixed (after repeated warnings from Solberg). Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were all at risk.

Thomas Cook told Sky News, ‘Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities.

‘For the same reasons we have not contacted the customers affected.'

However, an ICO spokesperson said, ‘This story does raise some potential concerns and we will be making further enquiries'.

Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, said:

"Thomas Cook has used Article 33 of the GDPR to avoid reporting this incident both to the ICO and its customers. This refers to the fact that organisations do not need to report a breach of personal data where the risk to customers is low.

"It appears that in making this assessment, Thomas Cook has used the fact that only 100 of its customers' data was compromised, and that it was done so as part of non-criminal ‘test' by a cyber researcher. Arguably, whether affected customers number 1 or 1,000 harm is still harm, and risk is still risk.

"Additionally, in terms of Thomas Cook's reputation it should have considered coming clean to the ICO and its customers before it was made public. We are at a time of heightened awareness of GDPR-issues and any sign that an organisation has attempted to cover up a breach will likely result in loss to reputation, so the public-relations and data subject notification exercise should be carried out swiftly and transparently. Where a company has had previous issues with data breaches, this is even more important.

"By being open, Thomas Cook may have avoided potentially harmful exposure. This begs the question of whether previous breach incidents linked to them really resulted in lessons learned. It does seem that Thomas Cook are failing in their technical due-diligence as both of their public data breaches have resulted from subsidiary companies which they now own."