A MAJOR VULNERABILITY in Thomas Cook Airlines' booking system could have exposed personal information, including names, email addresses and flight details, to third parties.
Norweigan security researcher Roy Solberg found that it was possible to retrieve the data using just a reference number, after booking a flight through travel agency Ving (owned by Thomas Cook).
Ving assigns incremental booking reference numbers to its customers (i.e, 101, 102, 103), making it relatively easy to view other customers' details using the exploit.
Solberg said that he was able to access flight details from as far back as 2013 and into 2019, meaning that potentially hundreds of thousands of bookings were compromised.
"I asked friends and family for booking numbers to test with, and even found some more on Google. It was possible - using only the booking number - to get the data for the travels from the travel companies Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway," Solberg said.
Despite that, Thomas Cook has said that an internal assessment has determined that the sensitivity of the data did not pass its threshold for reporting the case to data protection authorities.
The company says that only its Nordic division was affected by the vulnerability, which has since been fixed (after repeated warnings from Solberg). Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were all at risk.
Thomas Cook told Sky News: "We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty-free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.
"Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities.
"For the same reasons we have not contacted the customers affected."
However, an ICO spokesperson said: "An organisation must assess if a breach should be reported to the ICO. However, this story does raise some potential concerns and we will be making further enquiries."
The week in Google
The scandal that just keeps giving
Clip to the end....