An Airline Ticket to Fraud

Data systems that merge air passenger data make identity theft easier to come by


'That is inconvenient enough but, as we tested the system, it became clear that information was going to be used to build a complete picture of you from lots of private databases - your credit record, your travel history, your criminal record, whether you had the remotest links with anyone at your college who became a terrorist. I began to feel more and more uncomfortable about it.' Eventually, he quit the programme.

All of this was on my mind as I sat down with my computer expert, Adam Laurie, one of the founders of a company called the Bunker Secure Hosting, to examine Broer's boarding-pass stub.

Laurie is known in cyber circles as something of a white knight, a computer wizard who not only advises companies on how to make their systems secure, but also cares about civil rights and privacy.

We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding-pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality and his date of birth. The system even allowed us to change the information.

Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth.

Laurie was anything but smug. 'This is terrible,' he said. 'It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies not geared up for securing it as it gets shared around more and more people. It doesn't enhance our security, it undermines it.' Just over $100million had been spent on Capps II before it was scrapped in July 2004.

Campaigners in the U.S. had objected to it on grounds of privacy, and airlines such as JetBlue and American faced boycotts when it emerged they were involved in trials - handing over passenger information - with the Department of Homeland Security's Transportation Security Administration (TSA).

Even worse, JetBlue admitted it had given the private records of five million passengers to a commercial company for analysis - and some of this was posted on the internet.

But the problems did not end with the demise of Capps II. Earlier that month, the EU caved in to American demands that European airlines, too, should hand over passenger information to the United States Bureau of Customs and Border Protection (BCBP) before their aircraft would be allowed to land on U.S. soil.

The BCBP wanted up to 60 pieces of information routinely gathered by booking agencies and stored as a Passenger Name Record (PNR).

This included not only your flight details, name and address, but also your travel itinerary, where you were staying, with whom you travelled, whether you booked a hire car in the U.S., whether you booked a smoking room in your hotel, even if you ordered a halal or kosher meal.

And the U.S. authorities wanted to keep it all for 50 years.

At first, the European Commission argued that surrendering such information would be in breach of European data protection law.

Eventually, however, in the face of huge fines for airlines and cancelled landing slots, it agreed that 34 items for PNRs could be handed over and kept by the U.S. for three and a half years.

Capps II was superseded in August 2004 by a new system called Secure Flight.

Later, in October last year, the BCBP demanded that airlines travelling to, or through, the U.S. should forward 'advance passenger information', including passport number and date of birth, before passengers would be allowed to travel.

It called this the Advance Passenger Information System, or APIS. This is the information that Laurie and I had accessed through the BA website.

By the time I found the ticket stub and went to Laurie, he had already reported his suspicions about a potential security lapse to BA, on January 20 by email.

He received no response, so followed up with a telephone call asking for the airline's security officer. He was told there wasn't one, so he explained the lapse to an employee. Nothing was done and he still has not been contacted.

Three months ago, after further objections in the U.S. but before our investigation, Secure Flight was suspended after costing the U.S. taxpayer $144million.