BA, Cathay Pacific data woes show weakness of airline data protection


British Airways admitted yesterday that its massive data breach was – well more massive, as it added 185,000 people to the list of stolen data.

Cathay Pacific admitted just a few days ago a staggering data breach that allowed hackers to steal passport details, national ID, photos, emails and addresses of 9.4 million customers.

So frequent are data breaches that we’ve almost become numb to them, many of us remain unaffected, and some of the more knowledgeable and data savvy types know that unless you have no choice to get what you want, the best course of action is never surrender any piece of information that isn’t essential.

The trouble with airlines is that governments require API – Advance Passenger Information. In most cases, say prior to travel to the US, your passport information, the card your seats were paid for on, the names of those in your party, are all transmitted at least 1 hour before departure and processed by Homeland Security to flag anyone they have concerns over. That level of data transfer is carried out by almost all countries now, and without it you won’t be getting on that flight.

The onus is therefore on airlines to secure and hold crucial customer information to enable them to operate and you to fly seamlessly.


Some airlines delete the information automatically after a period, especially if you don’t tick the box saying “store for future use’, but many people – me being one, use one or two airlines so frequently and for so many connecting flights it’s too tedious to have to keep scanning passports back into apps when you need to check in for return flights – and may have your passport in the hotel safe and not on you.

Some countries – China/Hong Kong among them, like to know everything about everyone all of the time and data retention is required. The problem is who holds the data and how secure are they?

The simple fact is if it’s online it’s not secure, it might be more secure or less secure, depending on the data holder, but that’s as far as it goes.

Airlines everywhere aren’t especially good at security, preferring you to have ease of access than secure passwords.  And there’s lots of money to be made from hijacking people’s reward accounts, which are rarely checked by their owners for months at a time.

With airlines unwilling to spend their precious profits on data security because it hasn’t seemed to matter, and ever more determined hackers who do it because they can or for the money, it’s just a matter of time before something goes horribly wrong and a major airline is seriously hampered to devastating effect by a data breach and/or attack.


Airlines will spin how good they are, but the reality is far from good enough. As just one example, one major airline recently made me upgrade my password. It had to be 5 to 8 letters and numbers with no special characters. A ten-year old could bust that in a day. That was up from the 5 letter password they used until three months ago. So far I’ve only found one single airline that requires non-SMS (they can be intercepted) two factor authentication via an authenticator app to access your booking and mileage account. That should be standard, but it seems Finnair is the exception and not the rule.