Who leaked the changes to Sen. Ted Cruz's airline reservations?

After U.S. Senator Ted Cruz (R-TX) changed his airline reservations to cut short a family vacation in Cancún, Mexico, United Airlines has reportedly launched an internal investigation into how the change to Sen. Cruz’s airline reservations became public.

Sen. Cruz made reservations for himself and his family for three nights at the Ritz-Carlton Hotel in Cancún (US$309 per night per room plus tax), and bought tickets for his whole family for flights on United Airlines from Houston to Cancún leaving Wednesday and returning today.

After he was spotted at the airport and on the plane to Cancún, Sen. Cruz changed his reservations to return to Houston on Thursday. Sen Cruz initially seemed to be claiming that this was his plan all along, to “escort” his wife and daughters to Cancún, and then leave them behind and return after just one night. But two reporters, first Edward Russell of the travel industry news site Skift and then Kris Van Cleave of CBS News, were able to confirm with unnamed “airline sources” that Sen. Cruz was originally booked to return from Cancún to Houston today (Saturday), but changed his reservations Thursday morning to return that day. [Update: Peter Alexander of NBC News also confirmed the changes to Sen. Cruz’s flights with an unnamed “source with knowledge of the situation” although not necessarily with the airline.]

Should we care? Actually, yes, regardless of what we think of Sen. Cruz and his actions.

I have nothing to add to the discussion about Sen. Cruz’s decision to fly away to Cancún with his family for a vacation at a luxury hotel on a tropical beach as soon as the airports in Houston re-opened after a two-day closure caused by an exceptionally severe winter storm that left many of his constituents throughout Texas without running water, electricity, or heat, and while the COVID-19 pandemic continues. My only trip to Cancún was for a travel blogging conference (although I stayed for a few more days after the conference) and it’s not a place I would choose to go for a vacation, although you may have different tastes, and Cancún is not entirely without redeeming merits.

But there’s an important lesson in the fact that so many people had access to Sen. Cruz’s reservations and the history of changes to those reservations. And if, as I expect, United Airlines is unable to identify the leaker(s), that will be even more significant.

Who has access to airline reservations and records of reservation changes?

The “flight status” tab of the United Airlines Web site and mobile app display the upgrade and standby lists and seat assignments, by first initial and first three letters of last name (“CRU, R”). That’s convenient if you are standing by, or for your friends who want to check on whether you made it onto the flight, but it’s also convenient for remote stalkers.

Word to the wise: If you are trying to travel incognito, don’t put your name on a standby list for space-available travel or upgrades, as those lists are even more widely available than passenger manifests of confirmed reservations.

When I travel on a space-available basis on United Airlines, I know that anyone who wants to look can see which flight “HAS, E” is waitlisted for, whether I boarded the flight, and if so what seat I was assigned. They don’t even need to have an account or sign in to the United Web site or mobile app, and there is no way for me or the airline to find out who is, or who has been, tracking my trip.

This past Thursday, anyone who wanted to look could see that “CRU, R” was on the standby list for an upgrade on United Airlines flight #1015 from Cancún (CUN) to G.W. Bush Intercontinental Airport, Houston (IAH). By today, although information for Thursday’s flight was still displayed, Cruz’s name no longer appears on either the standby or upgrade list. That could be a one-off damage-control suppression of Sen. Cruz’s name from the flight status display by United Airlines, More likely, though. Sen. Cruz took his name off the upgrade list once he realized that it had exposed his travel plans.

More information about Sen. Cruz’s itinerary would have been available to anyone who knew the “record locator” for his Passenger Name Record (PNR) in the SHARES database that hosts United Airlines reservations.

United Airlines PNRs can be viewed on either the United.com Web site or the United Airlines mobile app. You don’t have to sign is as one of the travellers to retrieve anyone’s United reservations through the United mobile app by last name and record locator. Once you have retrieved someone else’s reservations into your copy of the United app — perhaps using a record locator spotted on a boarding pass or a baggage tag at the checked-luggage drop-off or baggage-claim area — you can continue to track the status of the reservation including onward or return flights, seat assignments, checked bags, and any changes. This makes the United app extraordinary dangerous as an unsecured remote stalking app.

If the reservations were made through a travel agency that uses one of the major computerized reservation systems, they can also be viewed on that CRS’s PNR-viewing Web site. All that is needed is the last name of any of the travellers in the party (one PNR can include multiple travellers) and the record locator. So anyone who shoulder-surfed the record locator off any of the Cruz family’s boarding passes, or the label on any of their checked bags, on the baggage carousel in Cancún when they arrived on Wednesday, would have been able to pull up their PNR and find out on what flight, on what day, they were booked to return to Houston.

This is how, in 2019, J. Random Hacker got the personal cellphone number of the former Prime Minister of Australia from a Qantas PNR by using a record locator obtained from a boarding pass visible in a photo posted on Instagram. Word to the wise: Shred or otherwise destroy all baggage tags, itineraries, and boarding passes — anything that has your record locator on it. Don’t display them publicly.

This is a longstanding and well-known problem. I’ve been writing about the vulnerability posed by using unchangeable, insecure, system-assigned record locators as though they were passwords, and of PNR-viewing Web sites including those operated by CRSs and airline check-in Web sites, for almost twenty years.

Once the change was made, the “face” of Sen. Cruz’s PNR would have shown only the revised booking for the Thursday flight from Cancún. To find out when he had originally been booked to return to Houston (not until today, Saturday), you would have needed to view the change log included in the PNR “history”. The “history” is part of the PNR, but it’s not generally visible to the traveller. You can see some examples of PNR histories in the copies of some of my my PNRs that I obtained from the U.S. Department of Homeland Security (which obtains and retains mirror ciopies of all PNRs for international flights to or from the U.S.) through a FOIA and Privacy Act lawsuit, and in the responses to my requests to airlines for copies of PNR data about me. (There are templates here that you can use to make your own requests.)

The “history” in each PNR in any of the major computerized reservation systems is a change log that includes, for each addition, cancellation (cancelled PNRs and cancelled PNR entries are moved to archival storage, not deleted) or change to the PNR, the date and time of the change, set address or location code (the CRS network equivalent of a domain name and/or IP address), the agent sine (unique identifier for the employee, if the change was made through a human staff person, or an identifier for an API or ‘bot that generated the change or through which it was received), and a free-text “received” field to indicate who requested or authorized the change (most often simply “P” or “PAX” if the change was requested by the passenger, but sometimes something such as “MR CRUZ”, “MS CRUZ PAX WIFE”, or “RICHARD ROE PAX PERSONAL ASST”).

Not everyone who works for an airline has CRS access, but tens of thousands of employees of numerous companies around the world have access to complete PNRs including history data, even for domestic flights entirely within the U.S. Staff and contractors with access to PNR data include those in reservations, customer service, and some in airport operations and revenue accounting.

The sources who confirmed to reporters what changes were made to Sen. Cruz’s reservations, when, and by whom, may work for United Airlines at any of their offices around the world. Ordinary travel agents only have access to PNRs created by, or transferred to, their agency or its affiliates. But “general sales agents” — independent contractors who represent airlines in countries and locations where they don’t have their own offices — have full access to all the airline’s PNRs. So journalists’ sources for information about Sen. Cruz’s PNR history could also have worked for any of the GSAs for United Airlines.

Everyone has friends, of course. It doesn’t matter if your stalker or abuser works for an airline or CRS if they have a buddy who does and who’s willing to do them a regular, occasional, or one-time favor by looking up the reservations of a person of interest.

How can I (or the airline) tell who has looked at my reservations? You can’t, and neither can the airline.

Several commenters have mistakenly suggested that it will be easy for United Airlines to identify the leaker by reviewing the logs that record what SHARES system users retrieved Sen. Cruz’s PNR.

The problem for United Airlines, and more importantly the problem for every member of the public who cares who knows the details of their travel plans, is that there are no access logs for PNR data.

Access logs are the norm in other industries, but not in the airline industry for PNR data.

As I pointed out in my widely-cited FAQ about PNR data, first published almost 20 years ago:

Each PNR contains a change log (“history”), but I’ve never seen or heard of a CRS or PNR handling system that includes an access log in the PNR. So unless logs are kept at the system level (as is sometimes done, for at least a short time, by a CRS for debugging or other purposes), it is impossible to know who has actually retrieved or viewed any particular PNR, or any of the data in it, or from which country or countries that data has been retrieved. None of the European airlines from which I have requested my PNR data has provided me with any access logs, even though they are required by EU data protection law to disclose transfers of personal data to entities outside the EU.

I also pointed this out in a joint submission to the U.S. Federal Trade Commission in 2009 co-signed by, among others, the Consumer Travel Alliance (now Travelers United) and the Consumer Federation of America:

The absence of access logs in the major CRS’s/GDS’s makes it impossible for travel companies that use these systems to comply with the fundamental principles of fair information practices — or even, in many cases, their own claimed privacy policies. Since no access logs are kept or included in PNR’s, travel companies themselves don’t know who has accessed data they entered. As they have admitted in response to some of our requests, they don’t know and thus can’t tell consumers who has accessed data about them, which data, or from where in the world.

That was more than a decade ago, but nothing has changed.

I also raised the lack of access logs, along with the lack of passwords for access to PNR data, in a complaint to the European Commission:

Article 11 of the Code of Conduct for Computerised Reservation Systems (Regulation (EC) No 80/2009 of 14 January 2009) requires that ‘technical and organisational measures shall be taken … to ensure that personal data are only accessible for the specific purpose for which they were collected.’ The Commission has the power to investigate and enforce the code under Section 6 of the regulation.

Personal data in the passenger name records (PNR) hosted by Computerised Reservation Systems (CRS) are available through CRS-operated public websites, just by using a name and the short ‘record locators’ displayed on items such as boarding passes and baggage labels. Due to a lack of access logs, data subjects are unable to gather from CRSs, whether their PNR data have been disclosed and to whom.

My complaint to the EC was finally acknowledged in 2017, but remains pending today, almost four year later.

In the meantime, there has been a seemingly never-ending series of rediscoveries and demonstrations of the ongoing vulnerability of airline reservations to stalkers, harassers, con artists, hackers, paparazzi, curiosi, and (last and least) investigative journalists.

The situation for Sen. Cruz is the same as that for any other traveler except that Sen. Cruz, unlike most travellers, could request and receive a police escort through the airport if he feared that he would be heckled by people who had found out his travel plans from his PNR data.

We may have little sympathy for Sen. Cruz. But despite prurient interest in the travels of celebrities, breaches of privacy involving airline reservations and other travel planning data are typically neither directed at rich and famous individuals, nor financial crimes victimizing large groups of random travellers. The easier and more common attacks are those that target already vulnerable individuals, especially those directed at victims of stalking and harassment. Modeling of these threats should start with domestic abusers as attackers, and our concern for the urgency of addressing this problem should start with our sympathy for victims of stalking, harassment, and abuse.

Will the leaker be found? Probably not, unless some human source knows who the leaker is and turns them in to the airline.

In the absence of access logs, someone who discloses PNR data is likely to be caught only if they confess or are caught in the act. A supervisor could look over their shoulder unexpectedly, and see something suspicious on their screen. Or a supervisor could be monitoring their set address or user sine remotely, although the odds of that at any moment are small. Otherwise, there’s no record of the data breach.

The same goes for acquisition of PNR data by governments, including whatever government you may not want to know about your travel plans.

Suppose that agents of the Chinese Public Security Bureau (PSB) go to the United Airlines office in Beijing, and order the local staff to retrieve and hand over a copy of Sen. Cruz’s reservations from Houston to Cancún, or your reservations next week from New York to Chicago (assuming you are travelling during the COVID-19 pandemic, which I hope you aren’t). Suppose the PSB also serves the local staff with an order, pursuant to Chinese law, not to tell their head office about their demand for your PNR data.

The United Airlines staff in China have to comply with these government orders. They are Chinese citizens subject to Chinese law. And they can comply, because there are no geographic or purpose restrictions on access to PNR data. Unless you or someone you know is looking over their shoulder in that back room in Beijing when your data is retrieved and handed over, or unless someone blows the whistle on the PSB (unlikely), neither you nor anybody in the United Airlines head offices will ever know that this has happened.

Once upon a time, as a travel agent, I sold tickets to a delegation of human rights lawyers going to a country with a repressive government to try to collect information for a complaint to an international tribunal about violations of the rights of political prisoners including local lawyers arrested for attempting to defend imprisoned dissidents in local courts.

I booked the delegation on a U.S. based airline, rather than the government-affiliated national airline of the destination country, to make it a little harder for that government to get access to the travellers’ itineraries. But one member of the delegation gave the U.S. airline some local contact information to reconfirm their return flight, and the government got that info from the PNR and used it to round up and deport the delegation before they could complete their work in the country.

I suspect that the secret police obtained this information from local staff of the U.S.-based airline in one of its offices in the destination country. But in the absence of access logs, neither I nor the airline was ever able to say for sure. There was nothing in the PNR to give any warning that it had been retrieved by someone in that country, much less to identify who had done so or when.

If PNR data is this easy to obtain, why don’t we hear more about it being abused?

First, airline and travel agency reservations staff, ticketing and gate agents, and flight attendants have a strong culture of respect for passengers’ privacy. They can and sometimes do pull up the PNRs of celebrities they deal with, if they have free time to do so (which they often don’t). But in general, they keep their lips sealed about what they have seen, or at least about travellers’ names. The bad behavior of the rich, powerful, and/or famous is a common topic of off-duty conversation among front-line airline and travel agency workers. But the names are almost always obfuscated. One hears stories about what an unidentified and, in the telling, unidentifiable rock star or politician or celebrity spouse did, not about what a named person did. There’s a lesson here: Privacy is more about mutual and collective human respect for each other’s personal dignity, not about rules or laws.

Second, because of the lack of awareness of PNR data as a means of targeted attack (airlines and CRSs are fully aware of everything I’m saying here, of course, and have been for many years, but the general public isn’t) and the lack of access logs or any other means of after-the-fact forensic investigation, it’s likely that most attacks of this sort go undetected unless the perpetrator (a) is caught in some other way, and (b) confesses their modus operandi. Neither is likely, so we don’t really know how common these attacks are.

If the risk is so great, why hasn’t this security vulnerability been fixed?

Airlines and CRSs have known about all of this for decades, but have made a business choice not to do anything about it.

I addressed their reasoning in a blog post last year. I won’t repeat myself here, but to summarize: (1) Airlines depend on CRSs for PNR-hosting functionality. So unless and until CRSs clean up their act and add minimal security measures like PNR passwords and access logging, it will be almost impossible for any airline to do the right thing, even if it wants to. (2) Neither airlines nor CRSs have a business reason to spend money fixing a vulnerability that doesn’t adversely affect them, only their customers, and that affects all of their competitors equally. (3) Governments in countries with laws that, on paper, prohibit these practices have chosen not to enforce these laws against their national airlines — or any others.

What’s the takeaway from the leak of Sen Cruz’s airline reservations and the airline’s inability to find the leaker?

If there were any access logs, the leaker(s) would have been identified almost immediately as the only system user (whether they worked for United Airlines or a contractor) who had no involvement with Sen. Cruz’s reservations or travel and no plausible excuse for having pulled up his PNR and its history, and who may have been located nowhere near Houston or Cancún, but whose fingerprints in the form of an agent sine showed up in the access log associated with Sen. Cruz’s PNR.

The fact that United Airlines hasn’t already announced that a leaker has been fingered and fired is confirmation — even if a leaker is eventually identified by other means, although I don’t expect that — that there are still no access logs for PNR data, that airlines are still in flagrant, knowing, and deliberate violation of elementary security norms and data protection principles, and that action by data protection authorities in countries where there are such enforcement bodies is urgently needed to force CRS operators including Travelport, Sabre, and Amadeus to implement the functionality to enable — and to require — the creation and retention of immutable access logs, just like the current change logs, in PNR histories — and while they are at it to start requiring passwords for PNR access.

This isn’t about Senator Cruz, politicians, celebrities or leaks to journalists. And none of this is specific to United Airlines — the same thing could have happened with any airline. This is about basic privacy protection for all travellers.

[Corrected, thanks to Twitter user tdh18ny, to note that since the merger between United Airlines and Continental Airlines, United Airlines reservations are no longer hosted by Travelport but are stored in the SHARES system that was already being used by Continental. PNRs created through online or offline travel agencies that use Travelport or another of the major CRSs can still be accessed through those CRSs PNR-viewing Web sites.]