back to article Thomas Cook website spills personal info – and it's fine with that

Holidaymakers who used Thomas Cook Airlines had their personal information spilled onto the internet no thanks to basic coding cockups. Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines …

  1. Doctor Syntax Silver badge

    So you have the option to report to the ICO and look like a good boy or not report and line yourself up for the top tier of fines for not doing so if the ICO disagrees with your risk assessment of the breach. Deciding whether to report or not is also a risk assessment, of course. Does the quality of assessment on whether to report indicate anything about the quality of assessment of the breach?

  2. djstardust Silver badge


    Their incident reporting is obviously as late as their shitty charter flights.

  3. This post has been deleted by its author

  4. Aqua Marina Silver badge

    If they are struggling to report themselves, I’m sure there a few competent people on here that can do it for them.

  5. Anonymous Coward
    Anonymous Coward

    Good God

    Is Graham Clueless still around?

  6. Anonymous Coward
    Anonymous Coward

    stop telling us how serious you are!

    We'll judge how seriously you take passenger data based on your actions, like everyone else.

    "we take ... blah blah blah" ... well done, your PR dept googled the standard response. F**k off, none of you largish companies give a sh*t

    1. GnuTzu Bronze badge

      Re: stop telling us how serious you are!

      Yeah, that's canned incident response template number 1.

      Yeah, I'm sick of hearing it too, and sadly it'll never stop.

  7. Will Godfrey Silver badge

    Strange spin

    Our tame examiners only exposed a few people's details, so we are certain no crims did any better.

    O really?

  8. Anonymous Coward

    GDPR requires reporting of data leak except when it doesn't :]

    "the controller shall .. notify the personal data breach to the supervisory authority .. unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

    So, no sanctions for such leaks and no requirement to report such leaks to the leaked-on. The only practical effect I've seen is multiple click-boxes on websites and some US websites blocking access in Europe.

  9. Mark 85 Silver badge

    Interesting defense

    Based upon the evidence we have, and the limited volume and nature of the data that was accessed,

    So they are saying that they have so few customers using that site that it doesn't matter?

  10. Pseu Donyme

    re: Spies Denmark

    For a second I was wondering what the local Google affiliate was doing in a list of travel agencies.

  11. Aodhhan Bronze badge

    What a bunch of $$$7

    In good faith, I believe the company should publish the names and PERSONAL emails of all company board members and those holding the position of VP and above.

    If they will do this, then I'll go along with them saying this is a LOW vulnerability... but you know they will never do this.

  12. Crisp Silver badge

    "After being alerted to this unauthorised access"

    Except it wasn't an unauthorised access. The system was doing exactly what it was designed to do.

    What they have there is an unauthorised disclosure. They had a duty of care regarding that data and they left it on a window sill where anyone could take a gander.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019