Thomas Cook is synonymous with holidays, flights, cruises, hotels and summer and winter breaks. It’s branding has penetrated the national consciousness of many a nation including the UK and the Scandinavian region.

But it’s less of a holiday company and more of an airline with Thomas Cook Airlines, Thomas Cook Airlines Scandinavia, Condor Flugdienst and Thomas Cook Airlines Balearic and others, all of which come under the umbrella of the Thomas Cook Group.

That said, recently it almost became synonymous with a major hack:
  • A Norwegian computer programmer discovered that it was possible to retrieve sensitive information from the Thomas Cook Airlines’ systems using only a booking reference number. 
  • The programmer discovered that trips booked through the travel agency Ving, whose parent company is Thomas Cook, are assigned incremental booking reference numbers. 
  • This means you can reach other customers’ details simply by subtracting or adding to the reference number in a URL. For instance, when pulling up your booking information online your reference number appears the end of the URL. By simply adding or subtracting a number other customer information appears. 
  • This data includes the full names of all travellers on booking, email address of the person who made the booking and all flight information such as date, airport and flight number including return details. 
  • Booking data made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability going as far back as 2013 and into 2019. 
  • It’s very possible that other booking agency websites with Thomas Cook Airline information also had the same vulnerability.

It’s not known whether this flaw has previously been exploited by malicious hacker or whether the security researcher was the first to discover it.

However, it certainly illustrates how fundamental security vulnerabilities are still common and why we all have to take responsibility for protecting our personal information.

For instance, imagine that a malicious hacker got this information. They could use the email address to create a targeted phishing mail, claiming to be from the travel agency. To the recipient the mail wouldn’t be suspicious, yet it could easily harbour a virus designed to steal passwords and banking information.

That said, to date there is no evidence that this flaw has been exploited by cyber crooks. Let’s hope it was the security researcher who got their first.