The leak was discovered by Norwegian security researcher Roy Solberg after he booked a flight with Ving, Thomas Cook Airlines Scandinavia.
Solberg found he could manipulate an email link from Cook to its online duty free shopping site, Airshoppen, to access the data, and detailed his investigation in a blog post.
After taking his findings to Cook in June, the operator told Solberg 15 days later the vulnerability had been fixed.
However, the UK’s data watchdog, the ICO, says it will further investigate the incident after Cook said the breach did not pass its threshold for a referral to the information commissioner.
The airline also said due to the “limited volume” of data accessed, it did not contact affected customers.
Solberg said to avoid suspicion he rarely downloads a lot of data, but typically seeks to establish the scope of a breach.
“I did a few tests to see if I could see how many bookings this was affecting,” he wrote. “For Ving, this was pretty serious... the oldest bookings I saw were from 2013, and the most recent one from 2019. I suppose this means that data was leaking about at least tens of thousands of travels.”
He explained the simple nature of Ving/Cook’s booking numbers meant it was easy to work through potentially thousands of people’s travel plans.
In a statement, Cook said: "We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.
"Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities.
"For the same reasons, we have not contacted the customers affected.
"We regularly test our systems using third party agents and since becoming aware of this incident we have taken further steps across our IT systems to ensure that we don’t have a similar loophole elsewhere."
A spokesperson for the Information Commissioner’s Office (ICO) said: "An organisation must assess if a breach should be reported to the ICO. However, this story does raise some potential concerns and we will be making further enquiries.”