An “ethical” hacker has easily gained access to the personal information of 1.2 million customers of one of India’s largest airlines.
A security researcher revealed last week that he had gained access to a database of budget Indian airline SpiceJet containing the data of its passengers, including their names, dates of birth, phone numbers and email addresses.
The security researcher described their actions as “ethical hacking”, and their identity has not been revealed as they likely broke the law.
The researcher claimed to have gained access to the database simply through “brute-forcing” the system and entering its “easily guessable” password.
They then were able to access an unencrypted database backup file on the airline’s system that contained the personal information, according to a TechCrunch report.
Included in the database was the personal information of some state officials.
SpiceJet is still yet to confirm the breach but it has been validated by CERT-In, the government-run agency in India responsible for cybersecurity.
The security researcher said they first alerted the airline after discovering the vulnerability, but didn’t receive an adequate response.
They then went to CERT-In which confirmed the breach and again alerted the company, with SpiceJet then taking action to protect the sensitive information.
The company has now issued a statement that still doesn’t confirm the breach or vulnerabilities in its systems.
“At SpiceJet, safety and security of our fliers’ data is sacrosanct,” the company said.
“Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process.
“We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
According to the researcher, the database in question contains a rolling month’s worth of flight information and the details of each passenger, saying it was easily accessible for anyone who knew where to look.
SpiceJet is one of India’s largest privately-owned airlines, accounting for about 13 per cent of the market share in the country. The company flies more than 600 planes daily, with several connecting to Dubai and Hong Kong.
It’s not the first airline to be hit by a major data breach.
It was revealed in 2018 that Hong Kong airline Cathay Pacific had kept a significant data breach secret for more than six months.
About 9 million customers of the airline were impacted, with their personal information including names, nationalities, phone numbers, addresses and passport numbers compromised.
The breach saw nearly 900,000 passport numbers accessed and nearly 250,000 Hong Kong identity card numbers.
Cathay Pacific had first identified “suspicious activity” in its network in March 2018 and was able to confirm “unauthorised access to certain personal data” in early May.
But the company only informed its customers that were impacted by the breach in October 2018, more than six months after the breach.
That year also saw other airlines, including British Airways and Delta Airlines, involved in data breaches that saw the information of several hundred thousand customers exposed.
Airlines typically collect a wide range of personal details about its passengers.
It was revealed last year that Cathay Pacific had been collecting images of its passengers while flying and tracking their use of inflight entertainment. The airline’s privacy policy revealed the ways it was tracking and collecting data on its passengers and how this highly personal information was being used and stored.