Security on GDS technology and communication is “hopelessly insecure” and leaves travellers and travel firms open to cybercrime, new research has found.

Delegates at a convention of computer hackers in Germany heard a report from security firm SR Labs that claimed flaws allowed criminals to harvest personal information, steal flights or earn millions in air miles, The Guardian reported.

The main criticism focused on the use of just a PNR code and surname for identification, and the use of that information on communication throughout the booking process and during travel, for example on boarding cards.

Karsten Nohl, one of two researchers who presented at the Chaos Communication Congress convention, said: “If the PNR is supposed to be a secure password, then it should be treated like one. But they don’t keep it secret: it is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode.”

Despite the switch to a barcode, the research found that even these were easily decoded using a number of apps. The researchers also criticised the use of a basic system of PNR generation which was easy to guess.

Other criticisms focused on the lack of controls to monitor who was accessing data, with the researchers warning that cybercrime may force an overhaul of the system if nothing is done sooner.