Identity theft from a discarded boarding pass

This week the Guardian (U.K.) newspaper picked up a story I first reported five years ago, describing how they were able to obtain an unsuspecting traveller’s airline profile and personal data, using only the information on a discarded airline boarding pass stub.

Exactly four years ago, I filed my first report from the annual Computers, Freedom, and Privacy conference on the possibility that identity thieves, stalkers, terrorists, or other criminals could access travellers’ reservation records — including, in many cases, personal information, home addresses, passport numbers, etc. — from information obtained from a discarded or “shoulder surfed” boarding pass or itinerary header. The Guardian used a slightly different methodology than the one I described in my earlier report. But they were successful without the need for any insider or industry-specific knowledge.

Aptly, I read the Guardian report while sitting at this year’s CFP conference waiting for the start of the plenary session on the possibility of a Federal data privacy law (which we don’t yet have in the USA) for personal information held by private and commercial entities — including, not least, travel and reservation companies.

Neither the discussion, nor enactment of such a law, can come too soon.