Unresponsive "comments" from Amadeus

Exactly three weeks after a public demonstration of the insecurity of public Web gateways to computerized reservation systems (CRSs) — a threat to travellers that I’ve been writing, speaking and telling the CRS operators about for more than 15 years — one of those companies has responded to my request for comment, but without answering any of my questions.

Here, in its entirety, is the statement I received late Tuesday from Amadeus (which hosts PNR data for airlines and travel agencies and operates the CheckMyTrip.com for viewing PNR data), followed by my comments:

Please find here statements that can be attributed to an Amadeus spokesperson. We will be making no further comment for now.

“Amadeus continues to assess the findings of the research conducted by SR Labs on travel industry security. We give the security of customer systems and data the highest priority and our systems and processes are under continuous review. We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems.

“Already we have taken steps to reinforce our systems and processes with additional layers of authentication to further secure information. Specifically, we have enhanced our user behavioural analytics system to improve real-time monitoring and alerting so we are able to detect traffic anomalies on any type of request. It blocks suspicious attempts to logins and prevents brute force attacks in real-time. We have also applied rate limiting access to further secure the system and we are ensuring an ongoing security assessment to validate the current level of protection and detect any potential loopholes or weaknesses.”

What, if anything, does this mean?

Amadeus didn’t choose to respond to any of the specific questions I asked, other than my question regarding what measures the company might have taken or be planning other than the most important ones: passwords, access logging, and changes to disclosures and privacy and data protection policies.

I asked Amadeus what “findings” or “issues … have been exposed here” that I hadn’t reported to them 15 years ago. But I didn’t get any more of answer to that question than to any of my others.

Journalists, travellers, and government privacy and data protection authorities should continue to ask these same questions not just of Amadeus but also of Travelport, Sabre, and the airlines and travel agencies that outsource hosting of their customer and transaction data to these companies.

The statement by Amadeus and the measures it discusses appears to be limited to protecting against “brute force” trial-and-error attacks. These were not the focus of my report and questions, and are not the most serious of the threats to travellers’ privacy and safety. Most real-world attackers targeting a specific person will be able to obtain the record locator for their victim’s PNR without the need for a brute-force attack.

Amadeus ignored my questions about (lack of) passwords and (lack of) access logs, which are the heart of the vulnerability. Amadeus also ignored my questions about warnings and disclosures to travellers. Nothing has been done by Amadeus to mitigate or warn travellers about the fundamental threats to the privacy and security of their PNR data.

Right now, without waiting for technical fixes, CRS/GDS companies and the airlines and travel agencies that use them could — and should — start warning travellers that (a) you need to keep your record locator secret and treat it as though it were a password, and (b) your data can be accessed (without leaving any log or trace of that access) and/or changed by anyone who has your record locator, through CRS Web sites (VirtuallyThere.com, ViewTrip.com, CheckMyTrip.com, etc.) and other sites and pathways that many travellers don’t even know exist.

At the same time three weeks ago that I contacted Amadeus’ corporate communications department, I also contacted Amdeus’ security vulnerability reporting team at the address designated on their Web site for this purpose, “vulnerabilities@amadeus.com”.

As of now, I have received no official acknowledgement or response to either this vulnerability report or the ones I began making 15 years ago, long before Amadeus had posted policies or an address for vulnerability reports.

I have subscribers to my e-mail newsletter, and regular visitors to my Web site, from Amadeus, Travelport, and Sabre. I have years of archived e-mail correspondence about this with Amadeus from 2002-2004, before I was told that Amadeus would not respond to or discuss my vulnerability reports.

Amadeus says that they will work with their “industry partners” to address these issues, but to date has been unwilling to work with those who brought these vulnerabilities to their attention.

If — despite reports including mine — Amadeus was unable for many years to recognize the seriousness of these threats, that should suggest that they would benefit from the insights of those who did notice them and who have offered to help assess them and other threats, and find ways to mitigate them.

Next week I’ll be in Brussels for the annual conference on Computers, Privacy, and Data Protection, where I’m speaking on a panel on Populist Politics and the Prospects for Privacy. I look forward to seeing some of you there.

I’ll be reporting on Amadeus’ non-response — and, more importantly, inaction — and that of Sabre and Travelport, in my conversations with staff of the European Data Protection Supervisor, the European Commission, Members of the European Parliament, national data protection authorities, activists, and European citizens, residents, visitors, and travellers.

Stonewalling those who point out vulnerabilities and offer to help fix them will not make the problems go away.