“As we saw with Tony Abbott, his passport number and phone number were easily discoverable with little effort on the part of the hacker,” Mr Gorrie said.
“Private details, such as an email, home address and phone number linked to an airline account could be exposed and even give a cyber criminal the ability to change your travel plans.”
Mr Hope said he had tried to scan the barcode on Mr Abbott’s pass, but then realised the booking reference was printed on it so he used that to log in to Qantas’ website and found Mr Abbott’s details.
He said he spent six months trying to alert Qantas and Mr Abbott to the fact that these details are so easily accessible.
This is not a new vector for malicious actors to grab valuable information. In 2015, security expert Brian Krebs was warning about software that could dig into the data locked away behind pictures of barcodes and QR codes on tickets and boarding passes.
These often contain airport codes, flight numbers, frequent flyer IDs and names, Mr Krebs said, which is easily enough to log into airline websites and impersonate the ticket holder. While information like phone numbers and future travel plans aren’t in the barcodes or on the ticket, they’re easily accessible through the airline website.
In Mr Abbott’s case, Mr Hope was able to get to additional information — including airline staff’s notes and comments about the trip — by examining the HTML code of the Qantas website.
Also in 2015, a woman who posted a selfie with her winning Melbourne Cup ticket found someone else had already claimed it by the time she reached the TAB. There have also been instances of tickets for sporting events and concerts being replicated from online photos and sold online as legitimate.
Mr Gorrie said it was important to be aware of the opportunities you’re giving malicious actors by posting pictures of yourself and your personal items to the public internet.
“If you’re posting pictures to Instagram or other social networks, make sure you switch your privacy settings to only share updates with your trusted network,” he said.
Tim is the editor of The Age and Sydney Morning Herald technology sections.