Sometimes we take for granted the simple security measures put in place to protect our privacy.  Take for example the need to enter both your booking reference number, and your surname into an airline website before you can see a copy of the e-ticket for travel.  Now imagine you could just enter any set of random numbers and no other details to bring up the itinerary of someone who has booked a bus journey – it’s a huge security hole which leaves the privacy of thousands of travellers wide open and it happened right here in Australia to Greyhound Australia.

Exposed tonight on Channel 9’s A Current Affair by reporter Rohan Wenn this simple error meant that by simply typing in any series of digits into the URL (Web Address) used by passengers to download their own e-ticket would likely show you another travellers name and itinerary plus the price they paid.


A full passenger itinerary - available simply by changing the Ticket Number in the web URL

A full passenger itinerary – available simply by changing the Ticket Number in the web URL

While at the face of it this could be seen as a small problem, consider the privacy that should come with someone’s travel itinerary.  Is the person meant to be away from work, does their family know they are going away, and perhaps most alarmingly what could a potential burglar do with the information – knowing you are away from home for a set period.

Greyhound sent A Current Affair a written statement 4 days after being told of the bungle. They thanked A Current Affair for telling them about the “potential breach in privacy”, however as reporter Rohan Wenn points out “there was nothing potential about it. It actually happened.

They also tried to downplay its seriousness by pointing out they hadn’t received any customer complaints about the issue”

In the story that aired tonight, Rohan approached travellers whose itineraries he had found on the site  “They were all very surprised to see us and understandably more surprised to discover we had copies of their tickets. We approached them simply to see if what we had uncovered was correct, that we had found real, existing tickets for future dates. Unfortunately, it was correct.”

One passenger in particular was extremely disturbed, fearing for her safety if someone in her life knew her whereabouts. Obviously, we did not put her to air in our story.”

Since the investigation by A Current Affair the site has removed the online ticketing flaw, and while that should give some comfort to those travelling it does little to change the fact that the flaw existed – probably for as long as the company has had an online e-ticket download service.

The flaw was this simple – you are at a website where the PDF ticket for your journey is available to print or save.  The Website URL (Address) ends with your own ticket number. Increase that number by 1 or any number, and you’ll likely find someone else’s valid ticket.

Ticket Number corresponded to the website URL

Ticket Number corresponded to the website URL

How could this happen?  Well it is quite possible that the idea of a “downloadable ticket” was created along with a website and IT upgrade at the company, and with web development being a straight forward “give them what they want” driven process, the checks, balances and steps that larger travel organisations would put in place were simply not considered.

Begs the question – what other ticketing sites might suffer from the same simple flaw?

Greyhound offered no explanation for the error, only a simple “thank you” for contacting them, and that they’d fixed the problem.

Watch the full story from A Current Affair at their website: