Thomas Cook website spills personal info – and it's fine with that

Decides not to report code blunder despite Europe's new GDPR privacy rules


Holidaymakers who used Thomas Cook Airlines had their personal information spilled onto the internet no thanks to basic coding cockups.

Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines’ systems using only a booking reference number. Simply changing the booking number unveiled a new set of customer details.

The exposed info covered trips booked through the travel agency Ving, which is owned by Thomas Cook.

Thomas Cook Airlines has closed the privacy hole, technically known as a Insecure Direct Object Reference (IDOR), a common enough and basic problems on poorly-designed web applications.

Solberg reckoned on Sunday that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability. Data going back to 2013 was obtainable before the hole was closed. Simple scripts might easily have been used to download the exposed data before the security hole was resolved, he adds.

Everything's fine! Nothing to see here

A spokeswoman for Thomas Cook was at pains to emphasise "this did not affect UK customers," before forwarding a canned statement further downplaying the incident, which it is not treating as a notifiable privacy breach.

We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.

Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.

We regularly test our systems using third party agents and since becoming aware of this incident we have taken further steps across our IT systems to ensure that we don’t have a similar loophole elsewhere.

Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, explained the basis in which Thomas Cook might have decided it was legally permissible not to notify customers or the regulator.

unhappy

MyTravel's website woes

READ MORE

“Thomas Cook has used Article 33 of the GDPR to avoid reporting this incident both to the ICO and its customers. This refers to the fact that organisations do not need to report a breach of personal data where the risk to customers is low."

You can read the text of Article 33 here (page 52 of the PDF).

"It appears that in making this assessment Thomas Cook has used the fact that only 100 of its customers’ data was compromised, and that it was done so as part of non-criminal ‘test’ by a cyber researcher. Arguably, whether affected customers number 1 or 1000 harm is still harm, and risk is still risk," he added.

More commentary on the incident from security pundit Graham Cluley can be found here. ®

Narrower topics


Other stories you might like

  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • If Twitter forgets your timeline preference, and you're using Safari, this is why
    Privacy through amnesia not ideal for remembering user choice

    Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.

    Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.

    So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.

    Continue reading
  • US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022