The world’s top companies use wandera Learn Why Try Wandera for Free

Is your personal information traveling somewhere without you?

Is your personal information traveling somewhere without you?

4879 2487 Liarna La Porta

Thomas Cook (India) Ltd. is not part of the Thomas Cook group of companies. There is no suggestion from Wandera that the Thomas Cook group of travel companies has any vulnerability in relation to its websites or mobile apps.

Most people would be familiar with the travel booking process. Whether it’s for business or pleasure, it takes a lot of time and effort comparing prices and sifting through hotel and flight options. There are services to help with the process now, but can you trust them to keep your sensitive information safe and not traveling into the unknown?

Researchers at Wandera have discovered a vulnerability in the website of travel giant Thomas Cook (India) Ltd, which is no longer part of the Thomas Cook group of companies but still licences the brand name. This vulnerability puts personally identifiable information (PII) at risk. Shockingly, it even reveals highly sensitive information such as passport numbers and full credit card details.

How does it happen?

Multiple data leaks are occurring but the most damaging vulnerability was discovered in the Thomas Cook (India) Ltd. mobile website. It uses plaintext when sending user data including credit card and passport details over the network, exposing it to any attacker or third-party observer on the network.

Security best practices call for all sensitive information to be encrypted so the content cannot be read or altered by an unauthorized party. Unencrypted credit card data and other PII is a significant oversight. Customers actively using the site could have their credit card information and other PII compromised.

 

What is being exposed?

PII that is exposed when a user registers for an account on the desktop website includes:

  • E-mail
  • Password

PII that is exposed when a user registers for an account on the mobile website includes:

  • First name, Last name
  • E-mail
  • Phone Number

PII that is exposed during a login request on the mobile website includes:

  • E-mail
  • Password

PII that is exposed during a password change event on the mobile website includes:

  • Old Password
  • New Password

PII that is exposed during payment processing on the mobile website includes:

  • Credit Card Number
  • Credit Card Card Expiration Date (Month, Year)
  • Credit Card Holder’s Name
  • CVV / Security Code

PII that is exposed during the flight booking process on the mobile website includes:

  • First name, Last name
  • E-mail
  • Phone Number
  • Date of Birth
  • Passport Number

What can you do?

Avoid using the Thomas Cook (India) Ltd. website over public and potentially insecure Wi-Fi hotspots to minimize the risk of traffic interception.

Our recommendation for businesses is to have an active mobile security service deployed. MDMs are able to restrict access to certain apps, but are unable to limit access to websites.

Ensure your security solution has a filtering and blocking feature that happens at the data level to block traffic to both leaky apps and vulnerable websites.

If you book travel frequently, be aware of other travel-related companies that have been discovered leaking sensitive user data such as Scandinavian Airlines and this group of airlines identified as part of the CardCrypt flaw.

We can assure the public that we have no reason at all to believe that the customer data of Thomas Cook Group plc. is not held securely, and we have not detected any vulnerability in any website or mobile app belonging to Thomas Cook Group plc. 

The latest mobile threats that you should know about

Our Threat Advisories present useful information on new mobile threats, their implications and practical steps for remediation and prevention, enabling you to swiftly address each new threat before it impacts your business.

Learn MORE

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta