Why you should never upload a photo of your boarding pass to Facebook

The barcode on a boarding pass contains sensitive data

Kate Ng
Tuesday 29 December 2015 12:04 GMT
Boarding passes contain passenger information that can be accessed by others
Boarding passes contain passenger information that can be accessed by others (Getty)

Support truly
independent journalism

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Louise Thomas


Posting a picture of a boarding pass to Facebook can seem smug, especially when no one else is going on holiday – but it could come back to bite you in a completely different way.

Brian Krebs, an author and blogger specialising in investigative stories on cybercrime and computer security, explained just how much information an airplane boarding pass contains in its barcode.

He wrote about a reader of his blog, KrebsOnSecurity, who became curious about the information he could glean from a friend’s boarding pass uploaded to Facebook.

After taking a screenshot of the Lufthansa flight boarding pass, he quickly found a website “that could decode the data and instantly had lots of info about his trip”.

The information included the passenger’s name, frequent flyer number and other “personally identifiable information”.

The reader, known as Cory, was able to obtain the “record key” for the Lufthansa flight the passenger was taking that day.

The reader continues to the airline’s website and used the passenger’s last name, which was encoded in the barcode, and the record key enabled him “to access his entire account”.

“Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance,” said Cory.

Mr Krebs said the access granted by Lufthansa also allowed Cory to view “all future flights tied to that frequent flyer account”, change seats for the ticketed passenger, and even cancel any future flights.

Travel news blog The Winglet suggests blurring out sensitive information if you must upload a photo of your boarding pass to social media.

This includes the airline ticket number, record locator and barcode, as well as “any other identifiable information”.

Once your flight is over and you no longer have a need for the boarding pass, Mr Krebs suggests putting it in the shredder rather than simply throwing it away as the data stored in it can still be accessed.

Michael Palin's top 5 travel tips

Click here to see for yourself how much information you can get from your boarding pass barcode.

More information on airplane boarding passes and barcode standards can be found in this document by the International Air Transport Association (IATA).

Click here to view the latest travel offers, with Independent Holidays.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in