Security fears as paparazzi obtain celebrity travel details

January 13, 2018
Keith Urban and his family are among those caught up in a security breach. Photo: Virgin Australia,

Security worries about global booking platforms are back in the spotlight after an Australian newspaper revealed  paparazzi were able to obtain travel details for high-profile celebrities such as Keith Urban, Naomi Watts and Rebel Wilson

The Weekend Australian obtained screenshots of Virgin Australia travel itineraries for celebrities including Watts, Wilson and Urban as well as for one of  Urban’s children with Nicole Kidman.

The information included flight numbers, booking numbers and arrival and departure times.

A spokeswoman for Kidman, Wendy Day described the breach as “extremely disturbing” and warned that data could potentially fall into the hands of stalkers or terrorist.

“It is absolutely horrific for anyone to have their children’s safety endangered,” Day told the newspaper.

The incident again highlights global concerns raised last year by Germany’s Security Research Labs about poor cybersecurity in  global booking platforms widely used by airlines.

Three Global Distribution System (GDS) providers  — Sabre, Amadeus and Travelport— handled more than 90 per cent of flights but the SR Labs report found the legacy systems lacked a proper a number of web security best practices.

This included the lack of a proper way to authenticate travelers.

The report was critical of the six digit alphanumeric booking code, known as the PNR, used to access and change traveler’s information.

“The authenticator is printed on boarding passes and luggage tags,’’ it said “Any person able to find or take a photo of the pass or tag can access the traveler’s information – including e-mail address and phone number – through the GDS’s or airline’s web site.”

The report said traveler information was also vulnerable to hacking and the way the six-digit codes were chosen made them weaker than a five-digit password.

It warned an intruder with a passenger’s booking code could invade their privacy, steal flights, divert frequent flyer points and phishing.

Airlines have been pushing GDS providers for security improvements and Virgin said it had been working with its partner, Sabre.

“Virgin Australia is a strong advocate for the highest standards of security with all of our technology providers and work closely with them to ensure we continue to enhance our processes,’’ the airline said in a statement provided to AirlineRatings.

“This is an issue that affects airlines around the world and Virgin Australia is currently working actively with a number of other airlines to advocate for our system provider to improve its audit controls.

“Internally, Virgin Australia has implemented increased security controls around system access.”

Australia’s other major carrier, Qantas,  is partnered with GDS giant Amadeus and said confidentiality and security of passenger information was taken seriously by the airline and its suppliers.

“If breaches are reported to us, we will immediately act upon them including referring them to the authorities,’’ a spokeswoman said. “We also recommend that passengers never post photos of their boarding pass on social media just like they wouldn’t post their credit card number online.”

READ: How posting boarding passes online helps cyber-criminals.

Virgin in 2017 banned  Australian paparazzo Jaqyden Seyfarth after he used a self-service check-in to print the boarding passes of Bachelorette Sophie Monk and Stu Landy and used them to access the airline’s lounge.