Personal details such as names, phone numbers, email addresses and dates of birth of more than 1.2 million SpiceJet passengers, including state officials, were shown to be vulnerable to data breach by a security researcher, TechCrunch reported. The researcher reportedly managed to gain entry to the system, that had a rolling month’s worth of flight information and details of each SpiceJet commuter, by brute-forcing the “easily guessable password“.
The unnamed researcher, who described their actions as “ethical hacking”, had initially alerted SpiceJet about the incident but had failed to receive an appropriate response from the airline, TechCrunch reported. They then informed CERT-In (Indian Computer Emergency Response Team), the government-run agency that handles cybersecurity threats, which reportedly confirmed the security lapse and alerted SpiceJet. According to the TechCrunch report, SpiceJet has since taken measures to protect the database. In its statement to MediaNama, however, SpiceJet denied any data breach in any of their servers.
There was no data breach in any of SpiceJet’s servers. At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level. — SpiceJet Spokesperson.
We have sought further response from the airline about the claims made in the TechCrunch report.
British Airways data breach: This is not the first time that the data of airline passengers has been breached. In July 2019, British Airways was fined more than £183 million by the UK Information Commissioner’s Office (ICO) after hackers stole the personal data of about half a million of the airline’s customers last year, according to the BBC. The ICO said that following an extensive investigation, it found that customer details including login, payment card, name, address and travel booking information were harvested by diverting customers to a fraudulent website, and added that the breach occurred because of BA’s “poor security arrangements” to protect customer information.