A computer expert discovered a vulnerability in one of the systems used by travel distribution company Amadeus, which said it had fixed the issue and that none of the data was misused.
Alp, an Israel-based travel subsidiary, is an online service used by Israeli travel agents and governmental travel agency Inbal to book flights and hotels. It had a database with a weakness that could be pried open to reveal the personal details and email addresses of, allegedly, millions of passengers.
“The configuration flaw, which allowed unauthorized access to information used for a loyalty scheme for travel agencies, and is not related to reservations and ticketing, was discovered by a security researcher,” an Amadeus spokesperson said. “The access was limited to the system in Israel, and we do not believe that data related to other markets was affected.”
News organization Calcalist first reported the breach.
“A detailed analysis of the incident is underway, but there is no evidence to suggest that the data has been accessed by anyone other than the security researcher who reported his findings to the Israeli authorities,” an Amadeus spokesperson said.
This incident was isolated from another one earlier this year.
In January, a flaw in Amadeus’ online booking system used by more than 140 airlines could have allowed attackers to access seat assignments and frequent flier information.
The issue, which is now fixed, was first identified by Israeli security researcher Noam Rotem while he was booking a flight with the Isreali national carrier ELAL, according to reports. Amadeus said it quickly fixed the issue and that no one other than the researcher accessed the data inappropriately.
Hundreds of online security breaches have happened in recent years, according to the Privacy Rights Clearinghouse. No process seems immune to hacking. Recent travel industry incidents included the hacking of Starwood Hotels data and the hacking of data at several hotel groups that relied on a reservation system run by Sabre.