A leak in the tour operator’s Nordic brand Ving exposed the data of an unspecified number of customers.
The tour operator giant Thomas Cook has admitted that a data breach exposed the names, email addresses and flight details of a number of its customers.
The leak was discovered by Norwegian security researcher Roy Solberg after he booked a flight with Ving, Thomas Cook Airlines Scandinavia, Sky News and TTG report.
Solberg found that he could manipulate an email link from the operator to its online duty free shopping site Airshoppen to access other clients’ data. He then wrote about his investigation in a blog.
Solberg says that to avoid suspicion he rarely downloads a lot of data but typically seeks to establish the nature and scope of a breach.
“I did a few tests to see if I could see how many bookings this was affecting,” he writes. “For Ving, this was pretty serious… the oldest bookings I saw were from 2013, and the most recent one for 2019. I suppose this means that data was leaking about at least tens of thousands of travels.”
The simple nature of Ving’s and Cook’s booking numbers means it was easy to work through potentially thousands of people’s travel plans, he explained.
Investigation to start
Solberg alerted Thomas Cook in June, and 15 days later the operator told him that the vulnerability had been fixed. However, the UK’s data watchdog, the International Commissioner’s Office, says it will further investigate the incident.
The operator insists that a “limited volume” of data was involved and that because of this it has not contacted the affected customers.
“We take any breach of our customer data extremely seriously. After being alerted to this unauthorised access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law,” the company said in a statement.