In January 2019, security researcher Noam Rotem discovered a critical vulnerability in the Amadeus Global Distribution System (GDS) that exposed passenger reservation data for customers of at least 141 airlines worldwide. Amadeus is one of the dominant flight booking infrastructure providers, processing reservations for roughly half of all commercial airline passengers globally.

The vulnerability was an insecure direct object reference (IDOR) in the Amadeus web booking portal. The six-character alphanumeric Personal Name Record (PNR) locator code, used as the sole identifier for a reservation, could be brute-forced via scripted URL manipulation. Critically, the portal did not enforce rate-limiting or brute-force protections, meaning an attacker could systematically enumerate all active PNR codes and retrieve any passenger’s full reservation details without authentication or knowledge of the passenger’s name.

Exposed data included full passenger names, dates of birth, home addresses, email addresses, phone numbers, frequent flyer account information, and complete itinerary details. In some cases, the vulnerability also allowed modification of existing reservations — enabling attackers to change seat assignments, contact details, or even potentially cancel bookings.

Amadeus was notified and stated the issue was fixed as of January 16, 2019. However, security researchers disputed that assessment, finding the remediation superficial and insufficient against a determined attacker. Amadeus maintained that it had not detected evidence of actual data exfiltration during the exposure window.

The incident highlights the systemic risk of centralised GDS infrastructure shared across hundreds of airline brands. Airlines including United, Lufthansa, Air Canada, and scores of others were downstream victims of a flaw in a shared third-party platform they had no direct control over. The lack of secondary authentication for PNR lookup — a longstanding industry practice criticised by security researchers — was central to the vulnerability.

No CVEs were formally assigned. The researcher published findings through Security Affairs and The Hacker News on January 15, 2019. Amadeus stated no traveller data was disclosed, but could not rule out unauthorised access prior to the fix.