SpiceJet, India’s low cost and privately owned airlines, suffered a data breach due to an unsecured database that contained personally identifiable information (PII) data of 1.2 million fliers. According to TechCrunch, a security researcher from U.S. discovered the flaw but resisted naming the ethical hacker, as the research was likely in conflict with certain U.S. computer hacking laws.
The researcher used a brute-force attack against a SpiceJet system to gain access. He insisted that the compromised system’s password was easily guessable. On gaining control over the compromised system, the researcher discovered an unencrypted database backup file, which contained PII of more than 1.2 million passengers.
The exposed database included a month’s worth of flight information and details of all passengers, including state officials who used the airline services for official work-based commute. The data breach also included passenger information such as their first and last name, phone number, email address, and date of birth.
SpiceJet was contacted by the researcher to patch this flaw, but due to a delayed response, the researcher went ahead and alerted CERT-India. On affirming the researcher’s findings and the concurrent lapse, CERT-In notified SpiceJet about the possibility of a data breach due to the unsecured database. Only then, SpiceJet’s IT department patched the critical vulnerability.
When TechCrunch contacted SpiceJet to know more about the data breach, a company spokesperson said, “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
The SpiceJet data breach highlighted the need of basic cybersecurity training across all levels and hierarchies in any organization.
Singapore Airlines’ KrisFlyer Account data breach
In January last year, a software glitch possibly exposed personal information of 285 members who used the Singapore Airlines (SIA) services. The bug exposed KrisFlyer, a frequent flyer account of Singapore Airlines, and personal information including the passengers’ full name, email address, membership tier, account number, the accumulated miles/rewards, travel history, passport, and flight information.
The officials at SIA stated that the incident occurred on January 04, 2019, from 2:00 am to 12:15 pm when two or more users logged in to their KrisFlyer accounts at the same time. The airline stated that it had informed Singapore’s Personal Data Protection Commission about the customer data breach and notified the affected customers.