United Airlines Bug Exposes Refund Requests
An apparent glitch inside the United Airlines website may have potentially exposed an unknown number of flyers data who requested a refund. The glitch allowed anyone online to put in a ticket number and any last name, because the security only checked the number – not if the last name corresponded to the ticket.
An unknown number of flyers could have had some of their personal information released to the internet because of a bug that exposed refund requests on United Airlines’ website. TechCrunch reports a problem in the website allowed anyone who entered a valid ticket number to view refund requests.
Security Only Checked Ticket Numbers, Not Names
The glitch was first reported by digital security expert Oliver Linow, who works for German public broadcaster Deutsche Welle. By putting in any valid ticket number, Linow says he could see flyer’s last names, their payment type and currency used, along with the requested refund amount. The glitch was allowed because the website coding only checked for the valid ticket number, not the corresponding last name with the itinerary.
Although it may not sound like a lot of information, knowing a valid ticket number and last name could be enough to get into an itinerary and gather personal information from unknowing flyers. While Linow estimates up to 100,000 flyers may have been affected by the programming glitch, it’s unknown how many refund requests were unlawfully accessed.
According to the TechCrunch report, the IT engineer reported the bug to United on July 6, 2020, and the airline patched the problem at least a month later. It’s unknown how long the bug was exploitable on the website.
In a statement to Business Insider, a spokesperson for United said they did not believe anyone’s personally identifiable information was directly affected by the glitch.
“We are committed to protecting our customers’ data and resolved this issue after it was brought to our attention,” the United spokesperson told Business Insider. “We are not aware of any sensitive customer data that was exposed or accessed and will continue to collaborate with cyber security researchers to stay ahead of any potential vulnerabilities within our digital channels.”
Security Flaw Latest Blow to United
Although it’s unclear if the security flaw directly affected anyone flying with the Chicago-based carrier, it is the latest problem to affect an airline already struggling to gain traction during the COVID-19 pandemic. In September 2020, the airline announced they would furlough over 16,000 employees, as a direct result of the lack of passenger demand and no additional support from the U.S. Congress.