Data is the currency of the 21st century and thus, any company which puts its customers private data in jeopardy is seen as an outcast. One such example is coming in from India, wherein the country’s second largest private airline SpiceJet, saw data of close to 1.2 million passengers leaked online, reports TechCrunch. There is no official confirmation from SpiceJet on the same.
The researchers who gained access to SpiceJet’s database have described their actions as “ethical hacking”. They did so by brute forcing the server’s easily predictable password and got their hands on an unencrypted database backup file that gave them access to personal data of 1.2 million passengers who boarded SpiceJet flights last month. Brute forcing access to a password-secured page is one of the most common types of cyber attacks on the web. And the very fact that the hacker was able to access the data with just a few attempts of brute force, goes on to show the negligence at the airline’s part.
The researchers made this data leak known to SpiceJet but didn’t receive a word back from the company. The researcher later alerted CERT-In, a government-run agency in India that handles cybersecurity threats in the nation. The agency confirmed the security lapse, and alerted SpiceJet. The airline has since protected the database.
In a statement issued by SpiceJet to The Tech Portal, the airline has avoided talking about the breach but has instead sent a boiler plate. It reads “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level”
While going through one such list, researchers found records containing details such as name of the passenger, their phone number, email address, and their date of birth. The researchers said the details were available to anyone who knew where to look, meaning it was not very difficult and the security measures were not upto mark. These details also included some state officials, said the researchers.
In other news, SpiceJet, as well as other companies including IndiGo, GoAir and AirIndia has banned a comedian Kunal Kamra from boarding its flights for the foreseeable future after an incident with journalist and founder of Republic TV, Arnab Goswami. Apparently, Kamra made a video starring Arnab in which he asked him questions about his political affiliations, accusing him of being biased, an act which was seen has heckling by many.
UPDATE [Jan 31 – 15:44 IST]
In a fresh statement issued to The Tech Portal today, Spicejet has denied any such hack or leak of passenger data. Here’s the full statement:
“There was no data breach in any of SpiceJet’s servers. At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
