Middle East carrier Emirates is facing accusations that the booking process is insecure after a data security engineer claims he found leaks in the flight booking process. The flyer says booking data is being shared with as many as 14 partners – an accusation Emirates denies.
Is your personal data at risk when you book with Emirates? South African IT website ITWeb reports the Middle East carrier could be sharing your ticket data with a number of partners.
A data security engineer first reported the potential data leak to the website. During the booking process for a future trip, he noted around 300 data points collected by Emirates about his itinerary. This was ultimately turned into a “manage preferences” page where he could make changes to flights.
However, a deeper dive by the flyer noted that this page was not only shared with him via e-mail. With a little investigation, the flyer claims his preferences and personal information was shared with as many as 14 different third-party programs. The “trackers” included popular names like Google and Facebook, but were also allegedly shared with lesser known programs including Crazy egg and Boxever.
To make matters worse, the flyer says the preferences page was not secured using HTTPS protocol, a standard security certificate for sensitive data online. Instead, the HTTP protocol was used – which could compromise the privacy of the website and potentially be accessible to anyone.
In a statement to ITWeb, the airline denied the accusations levied from the flyer over privacy concerns. The airline claims they work with “a number of third party analytical tools on our sites for the purpose of improving the online browsing experience,” and the Dubai carrier says that their policies allow flyers to protect their privacy at all times.
“We can confirm that none of the security vulnerabilities highlighted in [the flyer’s] article will allow a breach (unauthorized access) of personal data on our Web site or mobile app,” a spokesperson for Emirates said in their statement to the website. “The depiction in [the flyer’s] article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate.”
In a test completed by third-party security firm High-Tech Bridge after the accusations went public, the firm claims many of Emirates’ web pages “have very weak encryption or no encryption at all.” The security firm says their test has been used in 6.18 million servers around the world.