Report: Flight Booking Platform Exposes Customer Data

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s team recently discovered a huge data breach in flight booking website Option Way. 

Based in France, with an international customer base, Option Way helps users find flight deals to and from destinations around the world.

The data breach exposed the personal details of customers, creating a complete profile, as well as detailed information about their flights and travel arrangements. In total, our team had access to over 100GB of data, compromising the privacy and security of Option Way and its users.

Timeline of Discovery and Owner Reaction

• Date discovered: 20/08/19

• Date vendors contacted: 25/08/19

• Date of Response and Leak closed: 29/08/19

Example of Entries in the Database

On their website, Option Way claims the following:

“The  www.Option Way.com website is protected by an SSL certificate. 

When you enter your personal data, it is encrypted and stored to let you make transactions. Your personal data is processed in line with the recommendations set out by the CNIL (France’s data protection authority).”

However, this is not true.

Our team was able to access over 100 GB of data, a massive amount of customers’ unencrypted Personally Identifiable Information (PII).

Examples of personal details we viewed included:

• Customer names
• Date of Birth
• Gender
• Email addresses
• Phone numbers
• Home Address & postcode
• Dates of flight departure and return
• Destinations
• Flight Prices

An example of the data, showing a customer's email address, is below:

The following is an example of data showing details personal information of a customer:

Option Way users’ email addresses were also accessible as a result of ‘incorrect password’ reset links. This vulnerability exposed the wide database to potential hacks, and Option Way users to a lot of potential fraud.

The leaked database affected Option Way customers in many countries.  With a quick look through the files, we viewed user details from countries that included:

• France
• Belgium
• Algeria<
• Switzerland
• Austria

We do not doubt that after further investigation, this list would be much longer.

Combining all this data creates a complete user profile of Option Way customers, making them vulnerable to various forms of cybercrime and fraud.

Option Way Company Details

Aside from their users, the data breach also compromised Option Way by exposing employee and company information.

We were able to view the PIIs of staff members that were using the platform to book flights.

During our investigation, we also found the company’s credit card details unmasked and viewable to anybody with access to the database. This was used to book flights for staff members and customers, creating a huge risk for Option Way.

By not protecting the company credit card, Option Way is making itself vulnerable to devastating financial fraud.

Data Breach Impact

This open database is a goldmine for identity thieves and other attackers.

Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.

Phishing & Fraud

A phishing campaign involves creating imitation emails for legitimate businesses or organizations. These are sent to a victim's email inbox to trick them into providing valuable private information. This can include private account logins, credit card details, or any useful information.

With this information obtained, the victim can be exploited in various criminal schemes, from credit card fraud all the way to complete identity theft. Hackers can sell PII to the highest bidder on the dark web and combine it with other forms of attack, making the criminals exploiting the data untraceable.

Alternatively, the phishing email will be embedded with malware or ransomware, used to spy on or extort the victim.

Access to Option Way users’ PII and travel plans allow hackers to create effective phishing emails, imitating Option Way, airlines, and many other unrelated businesses.  

Ticket Account Takeover

Also exposed in the data breach were customers’ unique PNR numbers attached to their reservations. Combined with the customer’s names, hackers could use these to take over a reservation with an airline made via Option Way. They could cancel or change flights, with victims only finding out after they’re notified by the airline.

Robbery

With this database, hackers and thieves know exactly when Option Way customers are on holiday. They know their home address. They can email or call customers to confirm their absence for long periods.

They can then plan effective home robberies, with much less risk of being caught. Using the price of flights booked on Option Way, thieves can judge the net worth of customers and choose their targets based on potential loot.

Risks to Option Way

This data leak has many negative implications for Option Way as well. By leaving the database unencrypted and unsecured, they’re also vulnerable to fraud and other risks. 

Credit Card Fraud

Within the database, our team found the Option Way company credit card, used to book flights on the platform. Often, the only way for Online Travel Agents like Option Way to make a profit off low-cost tickets is to pay for them with their company credit cards and charge the user cards separately.

If a criminal or malicious hacker obtained this, they would gain access to any funds in Option Way’s bank accounts, make purchases, and rack up a huge debt in the company’s name.

This could be financially and operationally ruinous for Option Way. Not only would it put them in debt, but also legal jeopardy.

Aside from the company’s credit card, the data leak also exposes Option Way employee details. This makes them vulnerable to the same forms of attack as the company's customers.

Compromising Their Business Model

The database leak gives invaluable insight into how Option Way operates and generates revenue. This information is normally kept completely confidential, hidden from competitors.

By navigating the information contained within this database, a rival company could gain the upper hand on Option Way, replicate their business model, and undercut them. This may result in a loss of revenue that would be difficult to recover from.

Reputational Damage

How are customers affected by this leak to trust Option Way with their data again? If a malicious hacker gained access to this database - which only takes a web browser - who knows what they’re doing with the information they sold.

These will be the concerns on many Option Way customers’ minds after reading about the data breach.

It will be up to Option Way to regain the trust of their customers, and attract new ones, in light of our discovery.

Advice from the Experts

Had the owners of Option Way implemented some fundamental security precautions, they could have averted this leak. Even though the information we discovered might have still fallen into the hands of criminal hackers, we advise the following to Option Way:

1. Secure your servers with better protection measures.
2. Implement proper access rules on your databases.
3. Never leave a system that doesn’t require authentication open to the internet.

For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.

If you’re a customer of Option Way and concerned about how this breach specifically, or data vulnerabilities in general, might impact your site or business, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

vpnMentor’s research team found this data breach through a huge ongoing web-mapping project. Headed by Noam and Ran, the team scans ports looking for familiar IP blocks and use these blocks to find holes in a company’s web system. Once these holes are found, the team looks for vulnerabilities that would lead them to a data breach.

The team discovered that huge parts of Option Way’s database are completely unprotected and unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via a browser and manipulate the URL search criteria into exposing huge amounts of data.

Using their expertise, our team also examined the database to confirm its identity.

As ethical hackers, we are obliged to reach out to websites when we discover security flaws.

These ethics also mean we carry a responsibility to the public. If possible, we also alert any other parties affected by the breach, such as customers, clients, or a website’s users.

Option Way customers and the airlines on their platform must be aware of the risks they take when using technology that makes so little effort to protect their users.

The purpose of the exercise is to help make the internet safer for everybody.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently discovered a huge data breach impacting 80 million US households. We also revealed that a breach in Biostar 2 compromised the biometric data of over 1 million people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

[Publication date: 02.09.2019]