Airlines Could Be Leaking Your Private Data

International airline Emirates was virtually handing over customers’ sensitive information to marketers and hackers, according to a data security engineer.

Airlines Could Be Leaking Your Private Data
[Photo: chuttersnap/Unsplash]

Before you book your tickets to Puerto Rico for spring break, you should consider an illuminating–and frightening–cautionary tale from software engineer and data security expert Konark Modi.


Like many of us, Modi was simply booking some plane tickets for his family on the Emirates website when he noticed a few things that his inner internet privacy advocate found alarming. Specifically, “when you book your flight through Emirates, Domestic or International, there are approximately 300 data points related to your booking,” he writes in a March 2 Medium post. This data is compiled for the customer on a personalized “Manage Preferences” page that they receive in an email once they book a flight.

Yet Modi found that the URL of that page–and the data points it contained–were also being shared with “approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others.”

At first blush, this sort of behavior is a sad and obnoxious reality that those of us on the web deal with every day: personal data shared with third-party trackers. But what made matters worse: the URL included in Modi’s email used the HTTP protocol—that is, it began with “http://”—which is notoriously insecure compared with HTTPS, and can make supposedly “private” webpages accessible to hackers and other adversaries.

As Modi points out, this isn’t just obnoxious: it’s downright dangerous. “Anyone who has access to these links can not only read but also edit the information that I as a user can,” he writes. That includes changing or canceling the flight, checking out your passport information, changing your seat or meal preference and more.

On the Emirates webpage, fields such as passport number, email ID, and phone number were previously not obfuscated in the source code.

Modi, who notes that there is no evidence that any of this data has been abused, shared his findings with the airline in October 2017, both through a Twitter DM conversation with the company’s social media team, and through an email to the app’s product manager, but was met, he says, “with a deafening silence.”

The Emirates’ web app has been improved somewhat since he first discovered this flaw, according to Modi, but as of Friday the mobile app still reveals what should be private data.


A spokesperson for the airline said, “While we do use a number of third-party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented. The depiction in Mr. Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate. We are committed to protecting the privacy of our customers’ personal data. Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on”

While Modi only focused on Emirates, he suggests checking out WhoTracksMe to see if your favorite website uses trackers—and to be alert for websites that only use HTTP. “This issue is not only limited to Emirates, a lot of airlines like Lufthansa, KLM (last checked on October 2017) suffer from the same issues,” he writes. Unfortunately, there isn’t much that consumers can do about leaky websites save for pressuring the companies to improve online security, and using web privacy apps like uBlock Origin, Privacy Badger, or Ghostery. (Modi himself is an engineer for Cliqz, a privacy-focused browser for Firefox.)

It’s almost enough to make you long for the days of real life travel agents … almost.

Related: A Simple Checklist To Help You Not Get Hacked

About the author

Melissa Locker is a writer and world renowned fish telepathist.