Individuals flying for the first time are aware that an airline boarding pass includes certain details about a traveler, such as their name, flight number, and seat assignment. However, what might not be common knowledge is that these tickets, whether in paper form or electronic, harbor more personal information than readily apparent.
In particular, the barcode on a boarding pass has the capacity to reveal information like a frequent flier number, contact details, or other identifying particulars. According to privacy researcher Bill Fitzgerald, the specifics contained within the barcode can vary from one airline to another. Nevertheless, a prudent approach is to always assume that the scannable code contains personal information about the traveler and their itinerary.
Moreover, travelers should also consider that these barcodes may encompass driver's license and passport details, as these are typically provided to the airline during check-in or at the airport. Consequently, it is crucial to handle paper boarding passes with care, refraining from casually discarding them into the trash. As Fitzgerald emphasizes, posting them on social media is an absolute no-go.
While these precautions may seem like standard data protection advice, even the most experienced travelers have made mistakes when safeguarding their boarding passes. A prime example is former Australian Prime Minister Tony Abbott, who inadvertently exposed his personal information by sharing an Instagram photo of his Qantas flight boarding pass in March 2020. Although the hacker who gained access to Abbott's details did not misuse the information, the potential for malicious intent is a looming concern.
Most attackers could utilize this data, which may seem insignificant on its own, to initiate further online attacks against the traveler's digital accounts and identity. Mark Scrano, an information security manager at cybersecurity firm Cobalt, warns that many airlines rely solely on the data from the boarding pass, particularly the confirmation code and last name, to grant full access to the traveler's online account. This vulnerability could be exploited to access personal data stored by the airline.
These seemingly inconsequential details, when used strategically, could lead to significant troubles for travelers, including identity theft. Fitzgerald advises against sharing barcodes in any way to protect against this risk. Although paper boarding passes are becoming less common, they are still required in certain situations beyond the passenger's control, such as last-minute seat changes at the gate.
According to Fitzgerald, shredding a boarding pass is one of the safest methods for disposal.
While mobile boarding passes might appear to be a convenient solution for safeguarding personal data, Fitzgerald cautions that using electronic tickets within airline apps or loyalty apps is not as straightforward as it seems. He points out that these apps often pose privacy concerns and frequently incorporate various forms of tracking, including first-party and third-party tracking. Additionally, some apps may disclose the user's location in near-real-time, further complicating the choice between paper and electronic boarding passes.
For travelers who prefer using their smartphones instead of paper tickets, Fitzgerald recommends taking a screenshot of the QR code on the mobile boarding pass and saving it to their photos, eliminating the need for an additional app to access it.
In summary, it is advisable to treat any version of your airline ticket as you would a sensitive personal document, even if it appears that information such as flight numbers or barcodes holds little significance. As Fitzgerald notes, while the consequences of such information falling into the wrong hands may not be catastrophic, travelers should not make it easier for potential threats to exploit their data.