Hello! You are viewing your 1 free guest article this week

Please log in or join now for free, immediate and unlimited access to our award-winning online content. Find out more...

Join us
Already a member? Log in here

Travel industry news

11 Jul 2018

BY James Chapple


Thomas Cook facing probe after admitting data breach

Thomas Cook had admitted a data breach exposed the names, email addresses and flight details of a number of customers.

Airbus A321 Thomas Cook.jpg

Thomas Cook facing probe after admitting data breach

The leak was discovered by Norwegian security researcher Roy Solberg after he booked a flight with Ving, Thomas Cook Airlines Scandinavia.

Solberg found he could manipulate an email link from Cook to its online duty free shopping site, Airshoppen, to access the data, and detailed his investigation in a blog post.

After taking his findings to Cook in June, the operator told Solberg 15 days later the vulnerability had been fixed.

However, the UK’s data watchdog, the ICO, says it will further investigate the incident after Cook said the breach did not pass its threshold for a referral to the information commissioner.

The airline also said due to the “limited volume” of data accessed, it did not contact affected customers.

Solberg said to avoid suspicion he rarely downloads a lot of data, but typically seeks to establish the scope of a breach.

“I did a few tests to see if I could see how many bookings this was affecting,” he wrote. “For Ving, this was pretty serious... the oldest bookings I saw were from 2013, and the most recent one from 2019. I suppose this means that data was leaking about at least tens of thousands of travels.”

He explained the simple nature of Ving/Cook’s booking numbers meant it was easy to work through potentially thousands of people’s travel plans.

In a statement, Cook said: "We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.

"Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities.

"For the same reasons, we have not contacted the customers affected.

"We regularly test our systems using third party agents and since becoming aware of this incident we have taken further steps across our IT systems to ensure that we don’t have a similar loophole elsewhere."

A spokesperson for the Information Commissioner’s Office (ICO) said: "An organisation must assess if a breach should be reported to the ICO. However, this story does raise some potential concerns and we will be making further enquiries.”

Add New Comment
Please sign in to comment.
Show me more

Follow Us

TTG Media Limited.
Place of registration: England and Wales.
Company number 08723341.
Registered address: New Bridge Street House, 30-34 New Bridge Street, London EC4V 6BJ
Scroll To Top