Thomas Cook Shrugs Off Personal Data Breach
Thomas Cook data breach was lucky to get off lightly! The potential loss of data could of been catastrophic.
Thomas Cook has defied the GDPR by deciding that its data breach was too small to be worth reporting to the Information Commissioner.
A security researcher, Roy Solberg, found that Thomas Cook’s Norwegian website lacked basic security, and could be used to retrieve the names and email addresses of all passengers, along with their flight details.
In most businesses, this would surely raise alarm among customers. In aviation, you’d think it would shake the company into action. No business in its right mind would give out passenger information online.
But Thomas Cook decided that it wasn’t a big deal. As such, it did not tell the customers affected, but simply fixed the breach quietly.
Small But Significant
In security terms, the “hack” was fairly basic, and involved simply guessing booking references on airshoppen.com.
Roy Solberg simply went to the normal booking system and changed the URL parameters.
He found he could retrieve his booking even if he used the wrong date.
Additionally, the company behind the website was using incremental booking references. Adding one number to the reference was all that was required to retrieve someone else’s personal data. He also successfully tested this with other people’s details.
In theory, it would be possible to scale this up to a brute force attack and access thousands of records very quickly. At least four Norwegian travel agents used the site.
How Serious Does a Breach Need to Be Under GDPR?
Thomas Cook said that, since the researcher only accessed 100 records, it wasn’t serious enough to trigger a customer notification – although it has issued a fix for the flaw. But in theory, a person with malicious intentions could have accessed data from 2013 right up to the very latest 2019 bookings, with risks for airline security, ID theft, and more.
When Roy blogged about the breach, he judged it to be “high or severe”. The Information Commissioner’s office is concerned that customers haven’t been told, although it does acknowledge that Thomas Cook is within its rights to assess whether the breach is serious enough.
At the same time, it could have had much bigger consequences for customers than it did – and seemingly that was just down to luck.
There are questions about why such important data was kept behind a simple form that appeared to lack basic security. There has been a massive campaign of awareness around GDPR, and a company with the resources that Thomas Cook has shouldn’t be leaving these things to chance.
Thomas Cook says that no UK customers were affected, but that won’t mean much for its Scandinavian passengers. It has shrugged off the issue for now, but this could well come back to bite them if the Information Commissioner decides to investigate.