While many Australians relish the chance to share their holidays – and sometimes, even business trips – on social media, former Prime Minister Tony Abbott has received a personal lesson in the value of not exposing your airline booking reference in the process.
Back in March, Abbott travelled from Tokyo to Sydney with Qantas: snapping and posting a photo of his boarding pass on Instagram, alongside a receipt for his checked luggage.
While Abbott did mask his VIP-tier Chairman’s Lounge frequent flyer details from view, he neglected to take the same precaution with the six-character Qantas booking reference which appeared in plain text on the accompanying baggage receipt.
Abbott's boarding pass barcode was also visible in the image, through which a booking reference number can also be obtained in seconds using a barcode reader app or website.
The photograph has since been deleted from Abbott’s Instagram account, but not before tech-savvy social media user Alex Hope took the opportunity to retrieve Abbott's booking via the Qantas website.
What Abbott accidentally revealed
Paired with the traveller’s surname, that six-character code unmasked a raft of private information: including his date of birth, passport number, passport expiry date, personal mobile number, email address, frequent flyer number, and other flights booked under the same ticket.
The former PM’s fondness for a “window seat in the last row of business class”, a message notated onto the booking as a ‘special service request’, was also uncovered by Hope, through a simple examination of the HTML source code that produced the relevant Qantas ‘manage my booking’ page.
Thankfully, rather than indulging in identity theft or sharing all the details, Hope chose to alert Qantas, the Australian Government, and Abbott of the issue.
Qantas rolls out a fix
Qantas has since worked with its booking technology provider Amadeus to limit the ease of accessing some private information via the airline’s ‘manage my booking’ pages, although a surname and a six-character booking reference remains all you need to access an itinerary on the Qantas website.
This includes calling up personal information such as a traveller’s full name, email address, phone number, frequent flyer details, company information (on business bookings), meal preferences (which may indicate religion), and more, along with the ability to change seat assignments – and indeed, change or even cancel flights.
At the end of the day, whether you’re a former Prime Minister or a lesser-known business traveller, Executive Traveller’s long-standing advice remains: do not share your boarding pass barcode (or your booking reference) online – you never know who is browsing, and what they’ll do with the information you're granting them access to.