airBaltic, the Latvian national airline, has admitted that a “technical error” exposed the booking details of some of its passengers to other airBaltic passengers.
Passengers also reported receiving unexpected emails addressed to them by another customer’s name.
The Riga-based airline, incorporated as AS Air Baltic Corporation, operates flights to 80 destinations and is 97% government-owned. Although the airline says the leak affects a small percentage of its customers and no financial or payment data has been exposed, the airline has yet to disclose the total number of passengers affected.
Accidental exposure scares passenger bookings
Yesterday, several airBaltic passengers said they received emails addressed to someone else:
Hey @airBaltic Thank you for your e-mail. I appreciate your coupon, but I don’t fly to Rome and I’m definitely not Artis.
However, I now have full access to his booking and contact details. Want to explain? pic.twitter.com/SnyltmPsEU
— Misha K (@theramoar) May 12, 2023
The airline has also started sending emails to its customers, notifying them of a data breach that exposed their booking information to other passengers.
One of these emails was spotted by a security researcher Erik Wynterwho shared it with BleepingComputer:
BleepingComputer has been informed that the information exposed may include full names, dates of birth, email addresses, etc. passengers.
The incident was not the result of a cyberattack
An airBaltic spokesperson confirmed to BleepingComputer that the issue affected 0.009% of its customers as of this year:
“We can confirm that on Friday 12 May an internal technical problem was detected in airBaltic’s email delivery system, as a result of which a small number of passengers (approximately 0.009% of our customers this year ) received an incorrect e-mail with another passenger’s flight booking information,” airBaltic told BleepingComputer.
“This email did not contain any method of payment or other financial details, nor sensitive information. The protection of personal data is very important to us, so we can guarantee that in the incident, the personal information of the uninvolved passengers are safe and the incident has been contained.”
Considering airBaltic carried around 3.3 million passengers in 2022, the otherwise tiny percentage could mean the data exposure incident impacted hundreds of travelers.
As the data exposed includes sensitive booking details such as PNR/booking number, knowledge of which could be used to alter an itinerary, some passengers expressed concernurging the airline to issue them a new reservation number.
“This was done for passengers who contacted the airline individually and wanted it themselves,” airBaltic added to BleepingComputer.
The spokesperson states that the issues were the result of an “internal technical error” and that no malicious activity or external influence (such as a cyberattack or threat actor) is responsible for the issues.
“The email was sent in a language intended for the passenger whose data was included in the respective message, depending on the settings and language selection during the booking process,” the airline also said. . tweetedand the the same thing was observed by some passengers.
“The protection of personal data is very important to us, so we are thoroughly investigating this case and will contact all affected passengers within the day. We guarantee that the personal data of unaffected passengers is not compromised and that the incident is currently under control. We apologize for any inconvenience caused.”
If you are an airBaltic customer who has been affected by the issue, it may be worth contacting the airline and asking them to provide you with a new booking number.