
WestJet reports disclosure of guest information - Flott
http://westjet2.mediaroom.com/index.php?s=43&item=1256
======
tyingq
If this means someone is now generally targeting airlines with hacks, it may
be a rough ride. Airlines have been using tech for a long time, so their
websites are generally an entry point to a mess of legacy integration. And you
only have to hack a couple of airlines to get lots of people's data. We're
close to a billion passengers flown per year in the US across all airlines.

Also interesting in this context:
[https://www.rsaconference.com/writable/presentations/file_up...](https://www.rsaconference.com/writable/presentations/file_upload/asd-r03_-westjets-
security-architecture-made-simple-we-finally-got-it-right.pdf) _" WestJet’s
Security Architecture Made Simple We Finally Got It Right (2015)"_

~~~
uiri
The security picture is much much worse than what you suggest. There are only
a few global distribution systems; mainly Amadeus and Sabre. These are used by
airlines to share passenger name records which include all the personal data
collected by the airline and booking agent. If Amadeus or Sabre have their
security breached, everyone who travels by air is hosed.

Since these systems are anywhere from 30 to 50 years old, they have little
concept of security. Your confirmation/reservation/booking number typically
serves the function of your password for the booking. With that, plus say,
your last name and _maybe_ your date of travel, it is possible to get full
access to the booking.

See this talk for more information:
[https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...](https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego)

~~~
tyingq
_" The security picture is much much worse than what you suggest"_

Er, okay. Where did I suggest it was rosy?

 _" mainly Amadeus and Sabre"_

Travelport as well, their marketshare is similar to Sabre. Also, the GDS part
is interesting, but there are lots of other peripheral systems for things like
loyalty programs, gift cards, apis fronting the GDS, etc. All with legacy.
It's not really the old TPF platforms themselves that are the problem. It's
the sprawl of lots of legacy.

Edit: Also, that presentation. It does bring up a real industry problem, but
it also exaggerates for effect. Most airlines, for example, ask not just for
last-name/pnr-locator. They ask for first/last/pnr-locator. And, what you can
do with that is generally somewhat limited (checkin/change/cancel)...you
can't, for example, login as the passenger and see/use frequent flyer points,
stored credit cards, and so on. And, the best source to get this info is
discarded, already flown, boarding passes, which kills those three
possibilities. They also use a genuinely bad example from Oman Air, but then
act like all airlines use a similar pattern...they don't. Not discounting that
there's a big issue, but the presenters do use a certain style to promote
their work.

