Thomas Cook website spills personal info – and it's fine with that
Decides not to report code blunder despite Europe's new GDPR privacy rules
Holidaymakers who used Thomas Cook Airlines had their personal information spilled onto the internet no thanks to basic coding cockups.
Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines’ systems using only a booking reference number. Simply changing the booking number unveiled a new set of customer details.
The exposed info covered trips booked through the travel agency Ving, which is owned by Thomas Cook.
Thomas Cook Airlines has closed the privacy hole, technically known as a Insecure Direct Object Reference (IDOR), a common enough and basic problems on poorly-designed web applications.
Solberg reckoned on Sunday that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability. Data going back to 2013 was obtainable before the hole was closed. Simple scripts might easily have been used to download the exposed data before the security hole was resolved, he adds.
Everything's fine! Nothing to see here
A spokeswoman for Thomas Cook was at pains to emphasise "this did not affect UK customers," before forwarding a canned statement further downplaying the incident, which it is not treating as a notifiable privacy breach.
We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.
Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.
We regularly test our systems using third party agents and since becoming aware of this incident we have taken further steps across our IT systems to ensure that we don’t have a similar loophole elsewhere.
Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, explained the basis in which Thomas Cook might have decided it was legally permissible not to notify customers or the regulator.
MyTravel's website woesREAD MORE
“Thomas Cook has used Article 33 of the GDPR to avoid reporting this incident both to the ICO and its customers. This refers to the fact that organisations do not need to report a breach of personal data where the risk to customers is low."
You can read the text of Article 33 here (page 52 of the PDF).
"It appears that in making this assessment Thomas Cook has used the fact that only 100 of its customers’ data was compromised, and that it was done so as part of non-criminal ‘test’ by a cyber researcher. Arguably, whether affected customers number 1 or 1000 harm is still harm, and risk is still risk," he added.
More commentary on the incident from security pundit Graham Cluley can be found here. ®