This story has been around for a while, and it’s relevant as we’re all learning to be more careful with our private data and concerned about identity theft. It’s also a story because it’s been somewhat hyped up through relatively vague media stories like this one (the publish date for which is unclear).
One story in March 2020 was about former Australian Prime Minister Tony Abbott, who posted a photo of his boarding pass on social media. Using only the image, one person was able to gain access to private details and then altruistically spent months trying to warn the Prime Minister’s staff.
Stories like this have been passed around for years, so let’s get to the bottom of it and answer the question: Can your private data be hacked from your boarding pass?
What’s stored with that little barcode depends on the airline, but a rule of thumb is to assume that the scannable code has information about you, your stuff, and where you’re going.
In addition to the info printed on the boarding pass, some personal information accessible using the barcode.
And possibly (depending on the airline):
With an account number and name, plus some sleuthing in your social media accounts, a hacker may be able to find other details that you could have used to secure your account, like:
Using the information they’ve gleaned/stolen, a hacker may be able to reset your password, steal your miles, change your seats, cancel flights, etc. Because your flight purchase may also be linked with family travelers, the hacker could also have that information!
It’s easy for anyone to download a scanner app that decodes barcode data. I typed ‘barcode scanner’ into the app store and found dozens.
It’s similar to how simple it’s become to scan a QR code and get a full restaurant menu on your phone.
Mobile boarding passes may seem like the easy answer to protecting your personal data, but it’s not as simple as showing the electronic ticket. According to privacy researcher Bill Fitzgerald, those apps are filled with a range of first-part and third-party tracking up to and including your real-time location when you’re using the app.
You can’t always avoid a printed boarding pass, either. Sometimes the requirement is out of a traveler’s control, like in the situation of a last-minute seat change, for example.
Bottom line: If you want to use your phone rather than a paper ticket, the recommendation is to take a screenshot of the QR code on the boarding pass, save it to your photos, and show that instead. It eliminates the need for an additional app to access it but TSA agents may not accept it
Shortly after 9/11, Congress mandated an entry and exit system with biometrics to secure US borders. Biometric scanning is not required for entry into the US for US citizens, and US citizens are allowed to opt-out of participation in favor of a manual review of travel documents.
Biometric scanning has been proliferating ever since. For biometrics to work, a known trusted source of data like personally identifying documents (driver’s licenses, passports, etc.) have to be matched to a record on file. These days, more systems, from opening your phone to accessing your banking app, are using facial recognition as the record on file. This is the basis of biometrics.
Ultimately, biometrics should allow travelers to use facial recognition to check a bag, clear security, and boarding a flight. No paper or app involved, and no identification required either.
The goals of biometrics are speed and efficiency as well as safety. Of course, how much and what data will be shared with what agencies remains to be seen. Luckily for those who are concerned, biometric scanning is optional.
It’s best to treat any iteration of your airline ticket like you would any sensitive personal document. It’s not likely or even catastrophic if someone gets this data because it will take additional work on their part to put it to use. If someone is coming after your information, however, you don’t want to make it easier for them.
Use these simple steps to keep your personal info to yourself:
When you’re not showing it to agents, fold it in half and keep it in your pocket.
Damian Tysdal is the founder of CoverTrip, and is a licensed agent for travel insurance (MA 1883287). He believes travel insurance should be easier to understand, and started the first travel insurance blog in 2006.