We have noticed a potential privacy and security issue with the ‘Folio Itinerary’ function within Workflow. During some testing, it was determined that those who have the capacity to arrange travel for others can also request the itinerary for someone else’s travel and have this document forwarded to themselves. While this is a handy feature for admin staff trying to get information for the workers they manage, it does raise some privacy concerns as it pertains to the information included on the itinerary.

Due to privacy, we would never provide a frequent flyer number or flight booking reference to anyone but the person travelling. However, when requesting an itinerary from the ‘Folio Itinerary’ function, this information is available to anyone who has the 'arrange travel for others' toggle active.

In a support ticket raised on this issue, I was advised that this was a hardcoded report and cannot be amended. This CANNY is to request that this function and code be reviewed to remove all personal information, or, make it so that only the owner of the itinerary can request their own itinerary.