Why your boarding pass should always be kept top secret
Ever snapped an image of your airline boarding pass and posted it to social media? Some do, and it’s not hard to find them. A quick trawl through Facebook and Instagram and bingo, there they are, with passengers’ names, ticket numbers and Passenger Name Records, the keys that can unlock a trove of useful information for anyone looking to do you wrong.
In a much-publicised instance, in 2020, former prime minister Tony Abbott snapped a photo of his boarding pass for a Qantas flight from Tokyo to Sydney and posted it to Instagram. Using Abbott’s booking reference and surname, hacker Alex Hope went to the “Manage booking” section on the Qantas website and, without too much difficulty, unzipped Abbott’s passport number, phone number, seat preference and staff comments regarding the former PM. Hope had no ill intent, and the only damage was a new passport for Abbott, but it could have been worse.
The airlines you fly with know a lot about you. Your name, date of birth, your passport number if you fly internationally, email address, phone number and credit card details. In the wrong hands, that data becomes part of a bigger picture about you that can be used to scam your credit card, plant malware in your computer or even steal your identity and transfer funds from your accounts to theirs.
In 2016, in a live demonstration at Europe’s annual Chaos Communication Congress, Karsten Nohl, chief executive of Berlin’s Security Research Labs, demonstrated how using nothing more than the barcode on your boarding pass a hacker could access your personal information, alter your coming flights to another passenger’s name, break into your frequent flyer account, steal your airline points and find out your address and travel dates.
Those last details are solid gold for an old-fashioned thief who might want to break into your home during your absence. Even a discarded boarding pass can become a handy tool for anyone looking to prise open your airline account and make use of whatever data they can extract.
That congress was back in the Pleistocene era in cybersecurity terms. Meanwhile, quite a few airlines have tightened security protocols. Singapore Airlines is one such airline. The carrier was scalded in a 2021 data breach when servers belonging to global information technology company SITA were hacked. The hack uncovered the names, addresses, frequent flyer numbers and status level of some 580,000 KrisFlyer members, although no passwords or email addresses were stolen.
American Airlines suffered a cyber-attack in 2022 that unveiled some passengers’ names, email addresses, passport numbers, date of birth, driver’s licence numbers, mailing addresses, phone numbers and medical information.
Since then, Southwest Airlines, American Airlines (again), Air Canada and Air Europe have all suffered data breaches, often when unsuspecting employees clicked on phishing emails that installed malware in their computer systems, offering a keyhole to hackers. At least the hatch has been tightened on frequent flyer accounts, with many airlines now requiring two-factor ID to access accounts.
Despite those ramped up measures, there are still pitfalls for those who are careless with their boarding passes. In March 2024, according to a story published online in AP News, Wicliff Yves Fleurizard of George, Texas, managed to board a Delta Air Lines flight using images of a boarding pass he’d snapped secretly from other passengers’ phones and boarding passes. After hiding out in the toilet, Fleurizard was only busted when it became apparent that his boarding pass was a dud. Had the flight not been totally full, Fleurizard would have plonked himself down in a vacant seat, enjoyed a free ride to his destination, and no one would have been any the wiser.
Qantas has just been fingered for an embarrassing data spill that leached passengers’ data via the airline’s app. On May 1, when they activated the Qantas app, passengers on early morning flights discovered they were being fed the flight bookings, boarding passes and points balances of other travellers.
According to those using the app, the feed was random and Qantas quickly chimed in, securing passengers’ data and claiming that the problem arose as a result of recent system changes. A statement from the airline said: “No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.”
Sign up for the Traveller newsletter
The latest travel news, tips and inspiration delivered to your inbox. Sign up now.