In a troubling security breach, Airportr, a UK-based premium luggage service used by various airlines, was found vulnerable to hackers, exposing sensitive user data, including the travel plans of many high-profile users, including diplomats. Researchers from CyberX9 discovered significant security flaws in Airportr’s website that allowed them to access personal information of all users, from names and addresses to detailed itineraries and even passport images.
Airportr’s service is designed to facilitate door-to-door luggage handling for users primarily traveling to and from countries in Europe. This means their clientele often includes international travelers, and according to the researchers, many customers are government officials. In their investigation, CyberX9 pinpointed vulnerabilities that enabled them to gain super-admin access to Airportr’s systems, allowing for the potential redirection or theft of luggage.
The vulnerabilities stemmed from simplistic web issues, which CyberX9’s team reportedly identified quickly. They highlighted that with just a user’s email address, they could reset passwords and access accounts with minimal resistance. This compromised data included customers’ names, phone numbers, travel history, and even luggage details. Among the data accessed were the personal records of various diplomats, including a UK ambassador and a US cybersecurity official.
Randel Darby, CEO of Airportr, acknowledged the situation, noting that once alerted by CyberX9, the company acted quickly to disable the vulnerable backend system and remediate the security flaws. He emphasized that the data was accessed only for security testing purposes and corrected quickly. However, CyberX9 cautioned that the ease of exploiting these vulnerabilities raised concerns about whether malicious hackers might have accessed the data prior to their investigation.
The findings also pointed to a broader concern regarding third-party services linked to airlines. CyberX9’s CEO, Himanshu Pathak, stressed that airline partners must also be responsible for the security of customers’ sensitive information when they recommend third-party services. He emphasized the importance of scrutinizing conditions that might expose traveler data, as breaches can often stem from overlooked service providers.
Airportr services various major airlines, including American Airlines, British Airways, and Lufthansa, focusing on enhancing customer convenience. While they claim to have handled over 800,000 bags, this incident raises questions about operational security and data safety within the travel industry.
In light of this breach, both Airportr and its airline partners face increasing scrutiny and pressure to strengthen their security protocols to safeguard customer data more effectively.
For more information on Airportr, visit Airportr.
