A loophole on a travel booking website used by the Israeli government reportedly allowed access to sensitive information on Prime Minister Benjamin Netanyahu and top security officials.
According to a report Wednesday in the Calcalist business daily, the flaw in the security system on the Amadeus Leisure Platform site exposed data on 15 million travelers’ flight plans, hotel bookings and visa requests, as well as personal information such as email addresses.
The newspaper was alerted to the breach by a hacker who warned of the potential for “enormous damage if the breach is not closed.” It later contacted the National Cyber Directorate, which said it had addressed the problem and that the information was no longer accessible.
The site is used for booking by a number of leading travel agencies in Israel and Inbal, a state-run firm in charge of arranging international flights for public employees, including the prime minister and senior security officials.
The report did not indicate who or how many people had accessed the information, which could potentially be used to plan attacks on government officials or for phishing scams, among other nefarious purposes.
One of the email addresses that could be accessed on the site was firstname.lastname@example.org, to which flight information for the Netanyahu family was sent. The paper noted the account was likely not set up by the prime minister himself, who is known for eschewing cellphones and email. The Prime Minister’s Office said it was not familiar with the email address.
Amadeus, the IT firm that developed the site, said it was alerted of the breach on May 20.
“Because of this issue, it was possible to gain unauthorized and illegal access to information. Our security team took immediate action and quickly fixed the problem,” the company was quoted as saying in a statement.
In January, an Israeli cyber researcher revealed a major security flaw on Amadeus’s reservation system that allowed a flight reservation to be changed with only a booking number.