Using a brute-force attack, the researcher busted into an unencrypted database backup file containing the private information of more than 1.2 million passengers who flew with SpiceJet last month. According to the ethical hacker, the password protecting the data was easily guessable.
Data exposed in the breach included passengers' names, phone numbers, email addresses, and dates of birth. Among the passengers whose data was exposed were several state officials.
According to the researcher, the database file was easily accessible for anyone who knew where to look, leaving the budget airline vulnerable to cyber-attackers.
After successfully gaining unauthorized access to SpiceJet's passenger data, the researcher contacted the airline to warn them that a breach had occurred. The researcher said that their efforts to reach out to the airline elicited no meaningful response from SpiceJet.The researcher went on to notify India's computer emergency response team (CERT-In) of the breach. The government-run agency confirmed that the breach had occurred and went on to issue an alert to SpiceJet.
While SpiceJet has now taken steps to secure the exposed database, the airline has declined to confirm CERT-In's findings.
A spokesperson for the airline said in a statement: “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”SpiceJet is one of the country's largest privately-owned airlines, commanding an approximate 13% market share in India. The airline, which is headquartered in Gurgaon, flies over a million passengers a month and puts more than 600 planes in the air every day.
According to a new report from Forbes, the Hong Kong flag carrier has amended its official personal data collection policy to allow the airline to compile a database with detailed information on passengers’ use of in-flight entertainment systems (IFE) – including, but not limited to, images recorded by seatback cameras, customers’ activities at airport terminals and even data obtained about membership activity in competing hotel and airline loyalty programs.
The security researcher who detected the security lapse has chosen to remain anonymous.