Frontier Airlines left passenger data exposed for more than 100 days, ethical hacker says
A Frontier Airlines security flaw allegedly exposed passengers' passport numbers, home addresses, TSA PreCheck identifiers, and payment details using information printed on a standard boarding pass.
-
Passports, addresses, and credit card details were accessible via standard boarding pass barcodes due to a system flaw.
-
Frontier Airlines left the vulnerability open for months despite being alerted by a security researcher.
-
Former staff blamed the leak on a poorly managed mess of legacy software that employees were afraid to touch.
A boarding pass is supposed to get you on a plane, not hand your credentials over to bad actors.
A security researcher, known as “bobdahacker,” says Frontier Airlines has been exposing passport details, home addresses, TSA PreCheck numbers, and partial payment information through flaws in its booking system, according to his research.
Even scanning the barcode on a physical boarding pass could expose all this information, leaving a customer strikingly defenseless should they routinely dispose of it.
The most alarming part is that the vulnerabilities have been visible for over 100 days, despite bobdahacker informing the airline about them.
Available details included full passport numbers, home addresses, TSA PreCheck codes, and nearly complete credit card details.
According to the disclosure, full passport numbers and expiry dates, including those of children, were included in the leak, as well as previous booking transactions – leaving a whole trove of information for hackers to pick and choose from.
Staff tried to raise the alarm
According to the exposure, staff previously noted that the airline's software was outdated, a term the industry calls Legacy Software. This can refer to outdated programming or operating systems.
And Frontier had a problem with their “Manage My Booking” option, which apparently leaks the customers' full credentials, as described above.
A former airline employee reached out to bobdahacker and provided the following testimony.
“IBE (Internet Booking Engine) was (and probably still is) a mess of generated config and code that only one person was senior enough to touch. Everyone else basically danced around it, myself included”
This is not the first time an airline has been liable for harm recently. In May, a hacker group claimed on its Telegram channel that it had breached British Airways' internal employee system, exposing confidential data on pilots and aircrew.
And in November 2025, Spanish airline Iberia informed customers that threat actors stole over 77GB of sensitive data and attempted to sell it over the dark web.
In an industry increasingly disrupted by geopolitical troubles, the aviation tech infrastructure could well need modernizing, especially for Frontier Airlines, as this new report shows.
Cybernews reached out to Frontier Airlines for further comment and they responded: “Frontier Airlines is aware of potential IT vulnerabilities, which we have addressed and resolved. The security of our systems is a top priority for Frontier Airlines, and we take these types of matters very seriously."
