Hacking the Travel Industry: How to wreak havoc with a Surname and Booking Reference ?>

Hacking the Travel Industry: How to wreak havoc with a Surname and Booking Reference

Do you remember hearing the stories where concert/sport tickets were stolen because someone posted a photo of the barcode on Facebook?  What about the one at the Melbourne Cup where the winning TAB betting slip for $825 was stolen because the woman posted a selfie with the barcode in clear view?  It’s amazing how much damage you can do with such little pieces of data.

So here is a little something that concerns me about the travel industry.

Here is something you can try at home

Take a look at a recent itinerary you received from your travel agent or airline and have a look for your “Booking Reference”.  In the industry this is more commonly known as your PNR (Passenger Name Record) and it allows for your booking to be looked up in the giant systems that manage flight, hotel, car, and train booking data (these systems are known as GDS or CRS.


Okay, so you have found the first piece of data that we need.  Second of all, you will need your surname.  (Sometimes you might also need a third which is an e-mail address).  You, at this point, actually have enough data to verify yourself as the owner of that booking if you were to go to an airline website try and manage it, or look it up on a trip viewing website!

Woah, what do you mean I can manage my booking?

Doesn’t sound cool, does it?  So now that we know that it doesn’t take much to get keys to your travel kingdom, what can you do with a Booking Reference/PNR and a Surname on an airline’s website?  Let me list some things:

  1. Change the booking
  2. Cancel the booking
  3. Check in
  4. Change seating
  5. Change the meal
  6. See and change special requests such as required assistance and disabilities
  7. See personal information about the traveller and other passengers on the same PNR such as address, contact, and frequent flier information.

Surely it isn’t that simple?

I took a quick sample of some websites.  Below I have Qantas, Emirates, Virgin Australia, and Jetstar:

ManageBooking_Jetstar ManageBooking_VirginAus

What about “Trip Viewing” websites?

The news isn’t as bad, however, you can find out a lot about the passengers and where they are going this way.

TravelPort provide travel software to the industry and to one of the most dominant ones called Flight Centre.  Changes are you can use the TravelPort ViewTrip website to look at your personal and travel information using (you guessed it) just a PNR and a surname.

Other airlines might use the Amadeus GDS and booking software.  If that is the case then check out the Amadeus CheckMyTrip tool to see what you can find out about yourself using just your PNR and your surname.

What can we do about this?

Now can you see what perhaps it isn’t a good idea to take a photo with your e-ticket, itinerary, or any travel information that might contain your PNR?  Having said that, it is something that someone can glance at or intercept quite easily.

These systems are full of security holes.  Your PNR record held in the CRS and GDS systems contains a lot of personal information about you that can be accessed by anyone that has access to them.  It is a known fact that governments have access to these and use it as a way to collect information about people’s travel behaviors and movements.  Just try googling PNR security risk!

These systems are enormous and there is no way that they are going to change anytime soon after ~30 years of being the norm.  If anything, I urge all travel agencies and airlines to rethink the “PNR and Surname” approach to managing bookings and to think of other ways to lock it down.  By doing so, they are preventing hacking vulnerabilities and giving malicious people access to some of our personal data.


Want to talk more about the security holes we have in the travel industry?  Perhaps anything to do with GDSs and booking travel?  Please discuss in the comments below.