Taken a flight or two since the dawn of the digital era? Chances are all the airlines you’ve flown with in the recent past still have some of your personal data. Name, email, phone number, the credit card you booked with – and that’s just for starters.
If you have a future flight booking the airline knows when and where you’re going and how long you’ll be away. It might also have your passport number, expiry date, where you were born and a close relative or friend to be contacted in an emergency, and that data is a potential gold mine for cyber criminals.
Airlines are typically vague about the personal information they collect. Qantas, to its credit, is one of the few that spells it out. As well as all the data above, the list of information Qantas collects, published on its website under the heading “Privacy and Security”, includes your social media handle, seat preferences, meal requests, health and dietary information, how you may have used Qantas’ inflight entertainment systems, any past interactions such as feedback, complaints, compliments and even CCTV images captured in Qantas’ airport lounges.
Hackers are constantly probing corporations that have large volumes of customer data, and that makes airlines a tempting target. While Qantas has not been caught up in a data breach, American Airlines has. In September 2022, the airline revealed that it had suffered a cyber attack two months previously.
Blamed on an email phishing campaign sent to one of the airline’s employees, the spill included names, email addresses, passport numbers, date of birth, driver’s license numbers, mailing addresses, phone numbers and medical information. The airline notified customers, adding that only a small number were affected, with the added assurance that the data had not been misused. That sounds like wishful thinking. If data from a breach gets posted on the dark web, who knows where it came from?
Airlines hang onto customers’ information for several years after their flight.
In March 2021, servers belonging to global information technology company SITA were attacked, affecting more than two million customers and at least nine airlines. One of those, Singapore Airlines, revealed that the data of some 580,000 members of its KrisFlyer program had been compromised. The data harvested included frequent flyer numbers, the status level and, in some cases, the name of the member, however passwords and email addresses were not affected.
Is the personal data airlines have on you useful for hackers?
The most useful information for a cyber criminal is your name, followed by your date of birth since that’s most often used to prove your identity. Next, your licence number, passport details, home address, phone number, credit or debit card numbers and what bank or investment accounts you might hold.