Basically, their web ui and underlying service both allow retrieving an itinerary if you have the PNR record locator (a string like "W862MY") and either a last name, or an email address. The api call is apparently returning the phone number and other data.

You can argue whether that's a good idea, but it doesn't appear to be a bug or mistake. It's by design.

Misleading title. He used his web browser. Equivalent is that we are all hacking HN to read this comment.

About which the airline said "(we are) reviewing this case in detail and would like to state that our IT processes are completely robust."

we've been here before, different skin same mechanics. only this is not a list of SSNs, this is a single phone number

someone uses a browser to request information from the server, and uses that information in the clear, to accomplish a normal goal.

i think the biggest concern is the potential shellgame with luggage this enables, is a security risk, to the prejudice of airline liability.

tldr: Two passengers had identical bags. Technically inclined passenger used the id number from other passenger's bag to get the other passengers phone number and exchange bags. Phone number was not visible on airline web site, he found it using browser dev console.

I'd hardly call that hacking, but then again my opinion often doesn't match up with what politicians and courts consider hacking.

Reminds of me of Tony Abbott getting hacked https://mango.pdf.zone/finding-former-australian-prime-minis...

Definitely worth a watch. You too can locate your lost luggage.

https://www.youtube.com/watch?v=CHPdxyJ_ooQ

Brave of him to admit in public he accessed another person's confidential information through hacking a website.

"CoMPleteLY RoBUST"!