While the leak exposed some personal details, it did not reveal users’ payment information. According to Akasa Air, “no travel-related information, travel records or payment information was compromised.” This breach was discovered by security engineer Ashutosh Barot. Barot said Akasa Air fixed the leak within two weeks after he notified the company.
Misconfiguration Exposed User Data
In a press release, Akasa Air said it was made aware of a configuration error that may have allowed unauthorized individuals to view the personal details of its registered users. This personal data includes names, email addresses, gender, and phone numbers. The company has taken steps to secure its systems and resolve the issue. “On being made aware of this, we immediately stopped this unauthorised access by completely shutting down the associated functional elements in our system. Subsequently, having added additional controls to address this situation, we have resumed our login and sign-up services,” Akasa Air said. The company reported the incident to CERT-in, India’s national computer emergency response team. Affected Akasa Air users have also been alerted about the breach and told to be on high alert for potential phishing attacks. In a blog post, Barot, who has hacked United Airlines multiple times, explained how he discovered the leak on the Akasa Air website. He said he considered testing Akasa Air’s security in July but waited for the airline to commence flights on August 7. Barot explained that he created a profile on the Akasa Air website and logged in to search for his personal data in “burp responses.” “I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format. I immediately changed some parameters in request and I was able to see other users’ PII. It took around ~30 minutes to find this issue,” he wrote. Barot commended Akasa Air for acting swiftly to close the breach. He noted that there’s a possibility he may have found this vulnerability before it was discovered and exploited by threat actors. Akasa Air’s Co-Founder and CEO Anand Srinivasan said the company will maintain robust security protocols to strengthen its systems and ultimately continue to provide a “secure and reliable customer experience.” “While extensive protocols are in place to prevent incidents of this nature, we have undertaken additional measures to ensure that the security of our systems is even further enhanced,” Srinivasan said.
How Data Breaches Can Affect Airlines
Cybersecurity lapses in airlines’ systems can affect millions of passengers. In 2021, the personal data of about 60 million Malindo Air users were found on sale on the dark web. Also, last year, Malaysia Airlines’ Enrich found that its frequent flyer customer program data was exposed for over nine years. At VPNOverview, we conduct research to check for vulnerabilities that may result in the unintended leak of user data. We’ve found that misconfigured AWS S3 buckets have led to data breaches in large, reputable organizations, such as Sephora, PlatformQ, and Sega. As a user, you can reduce the chances of your personal data leaking by using a Virtual Private Network (VPN) and an identity theft monitoring service like LifeLock. We also recommend that you check out our in-depth guide to phishing.