Travel firm Thomas Cook has admitted a data breach which exposed the names, email addresses, and flight details of customers.

The breach was conducted by Roy Solberg, a Norwegian security researcher, who blogged about accessing customer data through vulnerabilities which he reported and have since been fixed.

Thomas Cook suggested that Mr Solberg was the only person to exploit the security issue and that fewer than 100 bookings were accessed.


It is understood that an internal assessment at Thomas Cook found that the customer data which was accessed did not pass their threshold for reporting the incident to the data protection authority.

Mr Solberg, who did not immediately respond to Sky’s enquiries, suggested that the details of hundreds of thousands of bookings dating back to 2013 were available to hackers.

In his blog post, Mr Solberg said: I never download a lot of data as I don’t want anyone to question my motives, but I do like to get an idea of the scope of a data leak, so I did a few tests to see if I could see how many bookings this was affecting.

In a statement, the travel firm told Sky News: We take any breach of our customer data extremely seriously.

After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law.

Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities.

For the same reasons we have not contacted the customers affected.

Thomas Cook added: We regularly test our systems using third party agents and since becoming aware of this incident we have taken further steps across our IT systems to ensure that we don’t have a similar loophole elsewhere.

A spokesperson for the UK’s data watchdog, the Information Commissioner’s Office (ICO), told Sky News: An organisation must assess if a breach should be reported to the ICO. However, this story does raise some potential concerns and we will be making further enquiries.

Mr Solberg noted that if you call an airline or airport to request information about passengers, it wouldn’t be handed out for privacy reasons – suggesting that these reasons should remain in place when it comes to data being leaked online.

Thomas Cook has clarified to Sky News that the issue doesn’t affect any UK customers as the vulnerability was only present in a system used by our Nordics division.

(c) Sky News 2018: Names and flight details exposed in Thomas Cook customer data breach

Comments

comments