Frontier Airlines Is Leaking Your Passport and Credit Card Details From a Boarding Pass

Frontier Airlines’ data exposure underscores a growing trend where legacy reservation systems become soft targets for attackers. The airline’s internal booking engine, known as IBE, was already slated for retirement, yet it remained in production while developers struggled to maintain its tangled codebase. When a simple query—six‑character PNR plus a passenger’s surname—returns a JSON payload containing passport numbers, home addresses, and near‑complete credit‑card details, the risk escalates from inconvenience to a full‑blown privacy crisis. This incident illustrates how outdated infrastructure can magnify the impact of a single API flaw, especially when the same identifiers are printed on every boarding pass.

The technical specifics reveal why the breach is especially dangerous. By exposing the first six digits of a card (the BIN) and the last four, attackers need only brute‑force the remaining five digits—roughly 100,000 possibilities—to reconstruct a valid 16‑digit number, a process that can be automated in minutes. Coupled with the cardholder’s name, expiration date, and billing address, fraudsters can bypass address verification (AVS) and attempt card‑not‑present purchases, leaving the CVV as the sole barrier. Financial institutions may see a spike in disputed charges, while consumers could face costly identity‑theft remediation.

Beyond the immediate financial threat, Frontier’s delayed remediation raises broader governance concerns. The company received the initial disclosure on March 3, set a 30‑day deadline, and still has not publicly addressed the remaining flaws. Such inertia erodes consumer trust and may invite regulatory scrutiny under data‑protection statutes. For airlines and other travel‑service providers, the lesson is clear: modernize legacy systems, enforce rapid vulnerability response cycles, and adopt zero‑trust API designs to protect passenger data in an increasingly connected world.