Norwegian programmer Roy Solberg discovered that it was possible to retrieve details of Thomas Cook Airlines’ systems using only a booking reference number. Solberg says he could easily have written a computer program to loop through possible booking reference numbers and extract the personal details of most customers and their trips. Such information could also be used in targeted phishing attacks claiming to come from a travel operator. The vulnerability has now been resolved, but other travel sites may be affected by the same vulnerability. The bug is known as an Insecure Direct Object Reference (IDOR)”]
Source: https://grahamcluley.com/thomas-cook-airlines-poor-security-breach/