How much does your airline know about you? More than you think

Save articles for later

Add articles to your saved list and come back to them any time.

Taken a flight or two since the dawn of the digital era? Chances are all the airlines you’ve flown with in the recent past still have some of your personal data. Name, email, phone number, the credit card you booked with – and that’s just for starters.

If you have a future flight booking the airline knows when and where you’re going and how long you’ll be away. It might also have your passport number, expiry date, where you were born and a close relative or friend to be contacted in an emergency, and that data is a potential gold mine for cyber criminals.

Qantas keeps a record of which inflight movies you watched.

Airlines are typically vague about the personal information they collect. Qantas, to its credit, is one of the few that spells it out. As well as all the data above, the list of information Qantas collects, published on its website under the heading “Privacy and Security”, includes your social media handle, seat preferences, meal requests, health and dietary information, how you may have used Qantas’ inflight entertainment systems, any past interactions such as feedback, complaints, compliments and even CCTV images captured in Qantas’ airport lounges.

Hackers are constantly probing corporations that have large volumes of customer data, and that makes airlines a tempting target. While Qantas has not been caught up in a data breach, American Airlines has. In September 2022, the airline revealed that it had suffered a cyber attack two months previously.

Blamed on an email phishing campaign sent to one of the airline’s employees, the spill included names, email addresses, passport numbers, date of birth, driver’s license numbers, mailing addresses, phone numbers and medical information. The airline notified customers, adding that only a small number were affected, with the added assurance that the data had not been misused. That sounds like wishful thinking. If data from a breach gets posted on the dark web, who knows where it came from?

Airlines hang onto customers’ information for several years after their flight.

In March 2021, servers belonging to global information technology company SITA were attacked, affecting more than two million customers and at least nine airlines. One of those, Singapore Airlines, revealed that the data of some 580,000 members of its KrisFlyer program had been compromised. The data harvested included frequent flyer numbers, the status level and, in some cases, the name of the member, however passwords and email addresses were not affected.

Is the personal data airlines have on you useful for hackers?

The most useful information for a cyber criminal is your name, followed by your date of birth since that’s most often used to prove your identity. Next, your licence number, passport details, home address, phone number, credit or debit card numbers and what bank or investment accounts you might hold.

Your email address is easy to find, and by itself that’s a low-value item, except that a scammer might send out phishing emails to a multitude of email addresses that might purport to be from a bank, a telco or a delivery service asking the recipient to click on a link, which could install malware which then opens a portal for an attack. History shows that a small percentage of recipients will click on the link.

With enough of these data nuggets stitched together, a scammer can weave a picture of you that allows them to call, text or email you masquerading as a representative of your financial institution, or a technical expert from your internet service provider identifying a non-existent problem with your connection. Since they seem to know things about you that only a trusted source would know, you might be inclined to give them the details they’re looking for, and disaster will soon follow.

How do airlines safeguard customers’ data?

When you buy an airline ticket over the internet, most airlines use Secure Sockets Layer (SSL) encryption, the standard technology for safeguarding the transmission of sensitive data. Qantas uses SSL, so does Emirates, Lufthansa, British Airways, United Airlines and Virgin Australia.

Airlines hang onto customers’ information for several years after their flight. It might be a legal requirement, for example to satisfy the tax authorities or to comply with anti-money-laundering legislation, but also to cover the possibility that a customer might instigate legal action against the airline, or where the airline itself becomes the plaintiff. German carrier Lufthansa, for example, generally erases personal data within 10 years, but in some cases not for 30 years.

That data can also be shared with the third parties. It might be other airlines performing part of a service, such as a codeshare flight, travel agencies, ground transport providers, law enforcement agencies and government authorities. It’s a long list, and it is these third parties that may have less stringent data protection measures, and which provide a wormhole for hackers to wriggle into. Latitude Financial Services was quick to blame a trusted service provider for a recent hack which saw the identification documents of 328,000 customers stolen. In that case the hacker was able to log in using credentials stolen from a service provider employee with administrator access.

As an end user you have no choice about the data you give to an airline. Choose not to and you shear yourself off from the convenience, the opportunities and the richness that the digital world brings to our lives. And you probably won’t be flying anywhere soon. The data that airlines hold on us is hardly unique, it’s one incremental packet of information in the mound of data that we willingly hand over as the price of participating in that world.

The latest travel news, tips and inspiration delivered to your inbox. Sign up now.

Most viewed on Traveller

From our partners

Source: Read Full Article