Originally Posted by
squawk
Out of curiosity, as someone who has never used/had access to Amadeus but has an interest in IT and security, can you be more specific here CWS? I assume (and would hope) that Amadeus doesn't let users run any old SQL syntax, and that it effectively uses prepared statements (parameterised queries) for security - and that one of these is effectively "extract me a list of all phone numbers from flights currently delayed". But presumably these kind of uses are logged against a username, so it should be possible for forensics to triangulate which person(s) are running these queries regularly and proceed with a more targeted investigation from there?
Is there any indication that HAL/BA security are looking into this - I guess a lot of people in this thread have reported it to them.
It's all speculation on my part, I could be totally wrong on this. But I imagine BA and a few other airlines are trying to find the source, but probably aren't talking to each other to be able to home in on the source of this data.
Amadeus is in essence one monster data warehouse and all the front end programming is some sort of querying process. So the core responsibilities of a ground agent will be to get this sort of information, customer by customer, in order to do their job. I imagine that Amadeus has various safeguards in it, but there is always a weakest link. The big BA data leak that led to BA getting a huge fine from the ICO happened due to an out station in the Caribbean having weak shared password security and an external "front door" to that airport's computers, put in by a local contractor with the best of intentions and even weaker security. So I'm speculating here that someone with either good computer skills or a hefty degree of luck has found something similar in this area and is monetarising it at 50 cents per successful claim, or similar.