SSSS Boarding pass
Photograph ©2018 by Brian Cohen.

Did He Break the Law — or Perform a Public Service — With a Discarded Boarding Pass?

What happened after a discarded boarding pass was found in a rental car is controversial.

A boarding pass was found on the floor of a rental car by a member of FlyerTalk — presumably in the United Kingdom — and what piqued his interest was “that the passenger was listed as a Premier” of British Airways, which prompted him to investigate further.

Did He Break the Law — or Perform a Public Service — With a Discarded Boarding Pass?

“I looked (stalked?) them up on the internet and can see why their employment would make them be offered a Premier member account” is what FlyerTalk member HarryHolden68 posted in this discussion as a cautionary security tale. “On the boarding pass was the passengers full name, Exec. club number and the PNR of the booking. Nosy, I went into manage my booking to see the return flights to Miami scheduled for next week. I saw that they were happy with row 5 in Club Europe from GLA to LHR and similarly, were not in row 1 in Club World on a 788 back to MIA.”

Thinking that he was performing a public service, he further stated that a “simple slip as the pass fell out of a pocket could have resulted in considerable inconvenience to the passenger had I been of a meaner disposition.”

Some members of FlyerTalk do not necessarily agree. According to this statement which was posted by golfmad, “The Computer Misuse Act (1990) provides protection by making it illegal for people to gain unauthorized access to computer material. The maximum penalty is imprisonment and/or a fine and that’s just for accessing it (Section 1) never mind doing anything with the information.”

Click here for the source of information pertaining to the Computer Misuse Act of the United Kingdom.

FlyerTalk member London Dude added that “If I were based in the UK and accessed a British citizen’s flight booking without their permission, I certainly would not advertise it on a public forum as it’s probably a criminal offense under Section 55 of the Data Protection Act (2018).”

The onus is on the person to whom the boarding pass was assigned, as opined by FlyerTalk member PUCCI GALORE: “Frankly my view is that of Tant pis for the Premier who was so slovenly and careless. Beware to the Op for coming on here and telling the world about what is no better than snooping and prying and which I would have done myself. The difference is that I would not have told Flyertlak. Discretion is the better part of valour.”

The lack of a person in protecting and securing his or her own sensitive information is not isolated to just boarding passes, as FlyerTalk member JessicaB related: “I am writing this sitting on a train, a lady is sitting next to me on the phone to someone and has given her name, address, email address and credit card details. Funnily enough I’m not tempted to try to see which of her accounts I can log into with that information. I just think it speaks volumes that someone finds an old boarding card and even thinks ‘Oohh yes, let me log into that person’s booking and Ooh look they are travelling in economy and Oooh look they aren’t even sitting in the front row of Club’. If I had a friend who told me that they’d done this, I would think seriously about whether I wanted to be friends with them still.”

Why Are Boarding Passes Potentially Valuable — and Vulnerable — to Theft?

The most important information which is printed on your boarding pass is what is known as a record locator or passenger name record, which is a record in the database of the computer reservation system of an airline which contains the details of the itinerary for a passenger — or a group of passengers who are traveling together. It is typically six characters in length — and if that sensitive information winds up in the hands of a nefarious individual, he or she will likely have access to such details as your flight, your frequent flier loyalty program membership number, your telephone number, and your e-mail address…

…yet boarding passes can be found strewn around in the pockets on the backs of seats aboard an airplane, on the ground, in a trash receptacle — or on the floor of a rental car.

At best, nothing will happen if the person who finds the discarded boarding pass takes no action — but anything becomes more possible: from having miles or points stolen from your membership account; to “stealing” the return portion of your flight; to a path towards successfully committing identity theft.

Final Boarding Call

The best course of action to take if you have a paper boarding pass is to keep it close to you until after the correct amount of miles or points have been credited to your membership account before you properly discard of it — such as shredding it and disposing of the pieces in several different receptacles, for example, so that it becomes virtually impossible to assemble back together again.

Digital boarding passes also contain a record locator or passenger name record; so be careful using them as well. The good news is that they are not as easy to lose or carelessly discard — especially if you save digital boarding passes properly.

Another method which is more secure than a paper boarding pass is to use your frequent flier loyalty program membership card — or your portable electronic device — to scan when checking in to board the airplane at the gate.

As for me, if I found a discarded boarding pass which belonged to someone else, I certainly would not be nosy and investigate more information about the person to whom it was assigned, as I believe that is unethical — regardless of whether at least one law would broken in the process.

Whether what HarryHolden68 did was considered by FlyeTalk member W213Sal to be ethical hacking is debatable and up for discussion — but it did raise some awareness pertaining to this topic.

To conclude this article with some levity, this discussion on FlyerTalk contains a list of record locators over the years which form interesting words or names — such as PILLOW, CAMPER, LOVEUP, or HIJAXR — and some of them are quite funny…

Photograph ©2018 by Brian Cohen.