One of the comforts the internet has brought us is the fact that we can book flights anywhere and anytime and even choose where we want to sit on that flight. But like every online process, even your flight bookings could be subject to hacking.
Researchers Karstein Nohl and Nemanja Nikodejevic from German security firm Security Research Labs published just how easy it is to break into travel booking systems. The report noted that the three largest Global Distributed Systems (GDS) handling such reservations are vulnerable. “Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.” Amadeus, Sabre, and Travelport according to the report handle over 90 percent of global flight reservations and their set up dates back to the 70s.
So here’s the challenge. Each time you book a flight you are given a unique six digit code which is also knows as a PNR (Passenger Name Record) which is printed on your boarding pass. It’s so public that just about anyone can get a snapshot and if it’s a hacker, they can access all of your personal information including your home address and bank card number, frequent flyer number and IP address used in booking the ticket among others.
With respect to authentication, the researchers said the GDS and airline websites don’t even limit the number of times you can check codes and this means hackers don’t even need to employ brute force to run through the database in order to dig out valid codes. “While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”
Perhaps the worst part of this it is that these unique codes are serially assigned thereby making it much easier for hackers to locate just about anyone’s information they wish.
To protect yourself, the best shot you’ve got is to not reveal the PNR on your tickets to anyone. The other thing GDS can do is upgrade their entire system to meet modern day threats and probably do away with the six digit codes they currently give. If you think this is not a big deal, then maybe imagine a scenario where you get to the airport only to find out that that your flight booking has just been cancelled.
So here’s the challenge. Each time you book a flight you are given a unique six-character code—known as a Passenger Name Record (PNR)—which is printed on your boarding pass and often embedded in its barcode. It’s so public that anyone with a phone camera can capture it, and if that “anyone” is a hacker they can unlock your personal details: home address, card data, frequent-flyer number, even the IP address used to buy the ticket.
To make matters worse, most airline and GDS sites historically placed no limit on how many times an attacker could test PNRs, meaning brute-force look-ups scarcely broke a sweat. “While the rest of the internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” the researchers wrote at the time. Perhaps the worst part is that PNRs are assigned sequentially, so criminals can narrow their search to codes issued in the past few days and harvest fresh records in bulk.
What has (and hasn’t) changed since 2017
Better—though still optional—lock-downs. Most major carriers now hide the PNR on mobile boarding passes and automatically mask it inside QR codes, yet those barcodes remain easy to scan with freeware apps.
Biometrics on the horizon. IATA’s One ID initiative, formally adopted in 2024, lets travellers clear each airport touch-point with a live facial match instead of presenting a code at all. Trials in Doha, Amsterdam and Los Angeles suggest boarding-pass scans could disappear within three years.
Digital travel wallets. The EU’s forthcoming Digital Identity Wallet and the ICAO-backed “Digital Travel Credential” aim to store a cryptographically signed journey token on your phone—making the plain-text PNR obsolete for anyone flying into or across Europe by late-2026.
Persistent breaches. Even as new tech rolls out, 2023–24 saw multiple lawsuits alleging that Sabre and other suppliers failed to encrypt sensitive data at rest. The message is clear: incremental fixes coexist with decades-old infrastructure.
How to protect yourself right now
Treat your boarding pass like cash. Shred paper copies; avoid posting “airport selfies” that show the barcode.
Use airline apps over e-mail PDFs. Mobile wallets hide the PNR by default and can be wiped remotely if your phone goes missing.
Opt in to two-factor where offered. A growing list of carriers (e.g., Lufthansa, United, Emirates) now supports one-time passcodes for itinerary changes.
Lobby with your wallet. Choose airlines that have joined One ID or equivalent biometric pilots; every check-in you complete without flashing a PNR makes the old system a little less valuable to attackers.
Until the industry completes its shift to biometric or wallet-based credentials, the humble six-digit locator remains the weak link. That means a single careless selfie, or a boarding pass left in the seat-back pocket, is still enough for a bad actor to cancel your flight—or worse—before you reach the gate. For now, vigilance beats convenience; keep that code out of sight, and hope the travel giants hurry up with the 21st-century overhaul they started talking about nearly a decade ago.
This article was updated in 2025 to reflect some recent developments
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
