How British luggage handling service left European diplomats exposed to hackers

A major cybersecurity vulnerability discovered in Airportr, a UK-based premium luggage handling service, has raised significant concerns about the security of sensitive travel data—especially that of diplomats and government officials. The breach, uncovered by Indian cybersecurity firm CyberX9, revealed that Airportr left users’ personal and travel details wide open to exploitation, creating a potential goldmine for espionage and cybercrime.

Airportr offers a service that allows passengers—primarily in the UK and Europe—to have their luggage picked up from their homes, checked in, and delivered to their final destination. As reported by a WIRED article shedding light on the debacle, it partners with 10 major airlines, including British Airways, American Airlines, Lufthansa, and Virgin Atlantic, and has reportedly handled more than 800,000 bags for around 92,000 users.

According to CyberX9’s researchers, flaws in Airportr's website could allow hackers to not only access users’ travel records and personal details but also assume super-admin control of the platform, potentially enabling them to redirect luggage, steal it, or even interfere with flight bookings.

Among the data reviewed by CyberX9 were records of individuals traveling on diplomatic passports from the UK, the US, and Switzerland. The researchers identified one person as a UK ambassador and another as a US cybersecurity official, underscoring the heightened risk involved. These individuals were among several government officials whose sensitive data—passport images, travel itineraries, and contact information—were vulnerable.

CyberX9’s founder Himanshu Pathak described the breach as extremely serious. “Anyone could have had complete administrative control over Airportr’s operations and customer data,” he said.

“This includes the power to modify bookings, access confidential information, and even impersonate the company via email or SMS to conduct phishing attacks.” The research team noted that such a breach would be highly appealing to state-sponsored hackers or espionage actors seeking intelligence on government officials’ movements.

The vulnerabilities, discovered with minimal effort, included poorly secured API keys, lack of rate limiting (which allowed for mass password resets), and exposed administrator email addresses that made privilege escalation possible. Essentially, these flaws allowed researchers to reset passwords for any user, hijack administrator accounts, and view all bookings and luggage routing data.

CyberX9 first took interest in Airportr after one of its team members was shown the service while booking a flight from the UAE to Europe. Recognizing the sensitive nature of the company’s operations, they decided to investigate—and found serious flaws quickly.

Airportr CEO Randel Darby acknowledged the vulnerabilities but downplayed the severity, stating that while theoretical admin access was possible, exploiting it without detection would be “highly difficult.” He stressed that Airportr’s system is independent from airline systems and that their APIs only allow read-only access to flight data, not the ability to modify flight operations.

Despite that, CyberX9 insists that the consequences of such a breach could be far-reaching. A malicious actor, using the level of access the researchers gained, could have impersonated the service to send deceptive messages, undermined the trust in a secure travel system, or even disrupted airline logistics.

Airlines associated with Airportr have remained mostly silent in response to inquiries. While Lufthansa issued a generic statement affirming its commitment to investigating any data breaches, British Airways, American Airlines, and Virgin Atlantic did not respond to WIRED’s requests for comment.

By Nazrin Sadigova