Your Airline Data Could Be Target, Vulnerable To Hackers

A lack of security standards for how airlines handle passenger name records could make traveler data a target for criminals and terrorists. Austrian Airlines/Flickr

Airline security has become increasingly stringent since the attacks of Sept. 11, 2001, with each additional incident leading to a new limitation for travelers. Those safety precautions may add additional inconvenience but are generally accepted as part of the experience as it's understood those procedures are necessary to ensure safety.

However, much of the security protocols that have been put in place at the airport have to do with physical threats. Within the computer systems that keep track of the eight million people who catch a flight each day around the world is a wealth of data that could be the target of criminals or terrorists.

Read: US Laptop Ban: Computers On Flights From Europe To US Could Be Banned In Cabin

Think about the amount of information that is required to book a flight and it doesn't take long to realize that airlines are trusted with an incredible amount of information, from payment info to details about a person's travels to personally identifiable data that is often considered sensitive.

That information may all be necessary for an airline to verify a person's identity, but it's not necessary for it to potentially be exposed to malicious actors. Monica Eaton-Cardone, the founder and CEO of cybersecurity and fraud remediation company Chargebacks911, warned that a lack of unified standards within the travel industry for how to deal with customer data may be putting people risk.

At the root of the problem are Passenger Name Records (PNR). First introduced as a way for airlines to exchange reservation information, PNRs are essentially a password associated with a traveler. In most cases, a last name and a PNR is all that is required to authenticate a flight.

That concept was innovative when it was first introduced as an early form of e-commerce, but has not kept up with the pace of evolving technologies nor the standards for data privacy.

Read: British Airways IT Failure: Airline Could Face Hefty Compensation Bill For Airport Chaos

Eaton-Cardone told International Business Times that while most businesses that decide to sell online are subjected to Payment Card Industry Data Security Standard (PCI-DSS)—a set of standards designed to dictate how consumer data is handled—the travel industry systems pre-date those requirements and operate without a single set of rules.

That is unfortunate because, as Eaton-Cardone notes, the travel industry collects a ton of data from its customers.

"In a Passenger Name Record, you have the passenger's name, all of the information that has to do with their flight, usually their address," she said. Additionally, those records can contain contact information, emails, IP addresses if the ticket is booked online, passport number, frequent flyer information and emergency contact information.

One thing it doesn't include is a full credit card number—just the last digits. Because of this, Eaton-Cardone explained, the industry is considered to be "compliant and secure" by credit card issuers.

This stems from an old way of thinking, where credit card data was the most valuable thing that could be compromised. But as breaches have gotten increasingly more common, card networks have grown more adept at stomping out fake transactions.

Eaton-Cardone, whose company handles more than 2.4 billion online transactions per year for clients in 87 countries, said card companies will often halt a fraudulent purchase before the card holder even realizes their card was compromised.

Instead of worrying about the digits on the card—which are traded regularly on the darknet for relatively cheap—she advised people should be more concerned about a breach exposing what the card may have been used for. "Today, logic would suggest more value is based on all of the purchasing history of a customer," she said.

This is because with customer purchase history, a person can find themselves in possession of someone else's entire identity, from personal details to buying habits—enough data to "take over an identity", according to Eaton-Cardone. "This presents a new type of risk."

At that risk is ever present with PNR, which currently house massive amounts of personal information while lacking a standardization for what is stored and how it is protected.

Most PNRs are generated and maintained by a global distribution system (GDS), which handle the reservation process on behalf of the airlines. When a person goes to check into their flight, that information is processed through the GDS.

Eaton-Cardone said to think of an airline's relation to the GDS like a website to a web host.

"I have a website, but I use hosting companies to host my website. I don't own the hosting company and I have nothing to do with them and I'm not in that business, but I need the hosting company to have my website," she said. "That's how the reservation systems are. If you're an airline, you're doing your business but you have to hook into a hosting company or global distribution system in order to create your reservations."

Every GDS handles the PNRs it creates differently because there is currently no standard that requires them to handle data in a unified way.

"Every single reservation or hosting system has its own proprietary standard," Eaton-Cardone said. "You may have a PNR record that includes all of the buying and transaction history. It's not going to include a credit card number, but it could even include passport data. Another PNR record may include just a few points of data."

Because of the lack of standardization, every company involved in the transaction gets to operate on its own set of rules. Eaton-Cardone compared to if banks didn't operate under the standards of the Federal Deposit Insurance Corporation (FDIC) and people were subjected to wildly varying rules when trying to deposit money or perform transactions.

The lack of uniformity creates potential security vulnerabilities that could be exploited—and some criminals already have.

In November 2016, eight men were able to enter an airport in Mumbai after gaining access to the PNR of several tickets for canceled flights. They were stopped before being allowed to board the plane but were able to get inside the terminal before authorities arrested them.

The Indira Gandhi International Airport in Delhi, India reported 30 arrests in 14 months between 2015 and 2016 related to fake or forged tickets. Another potential passenger was arrested in the airport earlier this year for having a ticket with a false PNR.

In some of these cases, the intention of the crime was believed to be relatively harmless—such as one man trying to get through security to go with a family member. That may not always be the case.

"If I'm a terrorist, for example, on a watchlist and I want to fly to Lebanon or Syria, if I have access to PNR data, I can actually fly anywhere in the world by using someone else's identity," Eaton-Cardone said.

As terrorist organizations have gotten increasingly savvy when it comes to technology usage, it's possible they may take to focusing on data as an asset that may benefit an attempt to carry out an attack—even as crackdowns on large electronic devices like laptops and tablets aim to counteract possible means of targeting aircraft.

The data from PNRs can also be used by criminals who have increasingly realized the value of personal information. "If I have the PNR records, then I can see who is going to be out of town at what time," Eaton-Cardone said. "I could actually use those records to see who's leaving their house."

The risks associated with the personal information attached to PNRs may be evident, but so is the reason there hasn't been a change in how they are handled: there hasn't been a big enough disaster related to the data to make a change.

Eaton-Cardone said for the travel industry, the existing technology is so ingrained that changing it would be a huge undertaking. And thus far the system hasn't shown itself to be broken, so why bother to fix it?

However, the system is only unbroken by the standard that nothing catastrophic has happened yet. It is broken by the standard of how we've come to understand the value of personally identifiable information, to which PNR protections have not caught up.

"None of us would want to publish for any criminal to be able to identify every place that we're going, how long we're going to be gone, who are family members are, the addresses of family members, whoever my emergency contact person is," Eaton-Cardone said. "This is all information that can be available from PNRs."

She advised that the travel industry take the time—however long a process it may be—to get together and establish a new standard that all GDS and airlines can abide by before an incident occurs that will force the change.

In her estimation, the travel industry should tap companies like Google and Amazon, which have their hands on tons of data and understand just how valuable personal information can be—both to businesses and to criminals. Those data-driven outlets also have a perspective on data that the travel industry doesn't and may realize the value of a certain piece of information that an airline doesn't view as sensitive.

"Collectively, as an industry, we have to take a more proactive approach to reassess all of the data and establish a security component that standardizes what type of compliance is needed to protect all of that data," Eaton-Cardone said. "It's no longer good enough to just protect the credit card number."