airBaltic, Latvia’s flag carrier has acknowledged that a ‘technical error’ exposed reservation details of some of its passengers to other airBaltic passengers.
Passengers also reported receiving unexpected emails which addressed them by the name of another customer.
The Riga-based airline, incorporated as AS Air Baltic Corporation operates flights to 80 destinations and is 97% government-owned. Although the air carrier says the leak impacts a small percentage of its customers and that no financial or payment data was exposed, the airline has yet to disclose the total number of impacted passengers.
Accidental exposure leaks passenger bookings
Yesterday, multiple airBaltic passengers reported receiving emails that were addressed to someone else:
Hey @airBaltic thanks for your e-mail. I appreciate your coupon, however I’m not flying to Rome and I’m definitely not Artis.
However, now I have full access to his booking and contact details. Mind to explain? pic.twitter.com/SnyltmPsEU
— Misha K (@theramoar) May 12, 2023
The airline also began emailing customers, informing them of a data leak that exposed their booking information to other passengers.
One such email was spotted by security researcher Erik Wynter, who shared it with BleepingComputer:
airBaltic’s email to customers sent over the weekend (Erik Wynter)
BleepingComputer was told that the exposed information may have included the passengers’ full names, birth dates, email addresses, etc.
airBaltic’s subsequent email update sent to affected customers (Erik Wynter)
Incident did not result from a cyber attack
An airBaltic spokesperson confirmed to BleepingComputer that the issue impacted 0.009% of its reservations from this year:
“We can confirm that on Friday, May 12, an internal technical problem was detected in the airBaltic e-mail distribution system, as a result of which a small number of passengers (approximately 0,009% of our clients this year) received an erroneous e-mail with the flight reservation information of another passenger,” airBaltic told BleepingComputer, and later clarifying that the percentage represents the impacted reservations, not passengers.
“This email did not contain payment method or other financial details, or sensitive information. The protection of personal data is very important to us, thus we can guarantee that in the incident the personal information of the non-involved passengers is safe and the incident has been contained.”
Considering airBaltic flew approximately 3.3 million passengers in 2022, the otherwise minute-looking percentage could mean the data exposure incident impacted hundreds of fliers.
Given the exposed data includes sensitive booking details such as the PNR/reservation number—knowledge of which could be used to modify an itinerary, some passengers expressed concern, urging the airline to issue them a new booking number.
“This has been done for passengers who contacted the airline individually and wanted it themselves,” airBaltic further told BleepingComputer.
The spokesperson states that the issues resulted from an “internal technical error” and that there is no malicious activity or external influence (such as from a cyber attack or a threat actor) that is reponsible for these issues.
“E-mail was sent out in language intended for the passenger whose data were included in the respective message, based on settings and language selection during the booking process,” the airline also tweeted, and the same has been observed by some passengers.
“The protection of personal data is very important to us, so we are thoroughly investigating this case and will contact all affected passengers within today. We guarantee that personal data of non-affected passengers is not compromised and the incident is currently contained. We apologize for any inconvenience caused.”
If you are an airBaltic customer who has been impacted by the issue, it may be worth getting in touch with the airline and have it issue you a fresh booking number.
May 16th, 06:40 AM ET: Added clarification from airBaltic about the percentage representing impacting reservations.
May 16th, 12:50 PM ET: Added copy of an updated email sent by the airline to customers.