Even first-time filers know that an airline boarding pass contains certain information about a traveler. A passenger’s name, flight number, and seat assignment are all printed in plain sight. But did you know these tickets, whether a paper print out or an electronic version, contain more personal information than meets the eye?
Specifically, the barcode on a boarding pass can pull up data like a frequent flier number, contact information, or other identification details. The information contained is “going to vary barcode by barcode, airline by airline,” says privacy researcher Bill Fitzgerald. But one rule of thumb is to always assume the scannable code “has information about you and your stuff and where you’re going,” he says.
Travelers should also assume that the barcodes contain driver’s license and passport details, as fliers must provide these to the airline or at the airport, according to Fitzgerald. As such, the paper versions of the travel document should be disposed of with care. “If you have a barcode on something, you should not be throwing that into the trash unless you want somebody to get it,” says Fitzgerald. “And you should definitely never be posting it on social media.”Watch Now: Condé Nast Traveler Video.
These might seem like standard data protection guidelines to follow, but even the most savvy travelers have tripped up when it comes to boarding pass protection. In March 2020, former Australian Prime Minister Tony Abbott posted an Instagram photo of his boarding pass for a Qantas flight. “Using only this image an attacker was able to gain access to the prime minister’s personal details including his phone number and passport [number],” says Mark Scrano, an information security manager at cybersecurity firm Cobalt. Although that ha
cker didn’t use Abbott’s data for malicious purposes, instead spending months trying to contact Abbott’s team to warn of a potential security breach, others might not be so altruistic.
Most attackers could use that data—which at first glance might seem minor or obscure on its own—to continue “leveraging your personal details to launch other online attacks against your digital accounts and persona,” Scrano says. “Many airlines use only the data on the boarding pass, specifically the confirmation code and last name to allow full access to your online account. These can be abused to access your personal data that is stored by the airline.”
If used skillfully, these small details could lead to even larger headaches for travelers, like identity fraud. “It’s good information that could be used in any type of identity theft or a targeted hack,” Fitzgerald says. “So if you’re concerned about having your identity stolen, it’s a really simple step to take, to not share barcodes in any way, shape, or form.” Paper boarding passes, while used less and less frequently, are still required in certain instances that might be out of a passenger’s control, like if there’s a seat change made at the gate, perhaps.
Shredding a boarding pass is one of the safest ways to discard it, according to Fitzgerald.
Mobile boarding passes might seem like an easy solution to protecting personal data. But Fitzgerald says it’s not exactly as simple as using the electronic ticket in an airline app or loyalty app. “Those apps are privacy nightmares, and they’re often filled with a range of first-party [and] third-party tracking,” he says. “They can sometimes include your location in close to real time as you’re using the app. So this is where it’s not a simple binary choice between a paper boarding pass or an electronic boarding pass.”
For travelers who would rather use their phone instead of a paper ticket, Fitzgerald recommends taking a screenshot of the QR code on the mobile boarding pass and saving that to your photos, eliminating the need for an additional app to access it.
Bottom line: It’s best to treat any iteration of your airline ticket like you would a sensitive personal document, even if on the surface information like flight number or a barcode might seem of little importance. “Is it catastrophic if these get into the wrong hands? Probably not,” says Fitzgerald. “But with that said, if there’s somebody coming after [your information] specifically, don’t make it easier for them.”