United Airlines’ website bug exposed traveler ticket data

A bug in United Airlines’ website let anyone access the ticket information for travelers who requested a refund.

The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number.

IT security expert Oliver Linow, who found the bug, told TechCrunch that he could see traveler surnames, the payment type and currency used to buy the ticket, and the refund amount.

United, like most other airlines, lets passengers access and modify their upcoming flights using only a passenger’s ticket number and last name.

Linow reported the issue to United on July 6. It took the airline a month to fix. But Linow did not hear back again from the airline.

It’s not known how long the bug was present. United did not respond to our emails with questions about whether the airline informed data protection authorities about the incident.

Companies found in violation of European data protection rules can be fined up to 4% of their annual revenue.

Airlines have withheld billions of dollars‘ worth of refunds during the pandemic amid a sharp decline in passenger numbers. United later received a $5 billion share of a $25 billion U.S. federal aid package aimed at keeping the airline industry afloat.

Earlier this month, United said it would furlough about 20% of its staff — some 16,370 employees.