wordpress blog stats
Connect with us

Hi, what are you looking for?

When an Indigo flyer “hacked” his way to retrieve lost baggage, he found a privacy risk that plagues the entire airline industry

Online booking may have normalised getting access to airline passenger details, but does that make it okay?

On March 27 evening, software engineer Nandan Kumar landed in Bengaluru and made his way home. But upon reaching home, his wife pointed out that he got the wrong bag. “My bag got exchanged with another passenger. An honest mistake from both our ends. As the bags [are] exactly the same with some minor differences,” Kumar said. So, Kumar did what anyone in his situation would do and reached out to Indigo to help him connect with his co-passenger and get his bag back. But after waiting and failing to get the help he needed, Kumar took matters into his own hands. That’s when he stumbled upon a data leak on Indigo’s website that allowed him to contact his co-passenger. Indigo defended itself by saying that it was not a data leak and Kumar was able to find the mobile number of the co-passenger due to a “norm practised across all airline systems globally.” But does a practice become right just because it is a common practice?

How did Kumar retrieve the contact details of his co-passenger?

Kumar shared his full story on Twitter (which is an entertaining read), but to cut to the chase, he was able to obtain the contact details of the passenger who had his bag by using the PNR and last name he found on the bag with him.

But it wasn’t as simple as it sounds because Kumar wasn’t able to use the “Edit Booking” page on Indigo’s site to access the passenger’s details. “Some people say, the email and number are shown on the screen, but in this case, I was not shown them. Now, I don’t know what kind of logic they use behind the scene. I think if you subscribe to WhatsApp update or something then the mobile number is shown on the screen. But I’m not sure,” Kumar told MediaNama.

Instead, he had to rely on his software engineering skills to do the check-in flow with network log on, and amidst the trove of data that the server responded with, was the passenger’s mobile number and email address. 

What details can be accessed with PNR and last name/email address?

While Kumar was able to gain access to the mobile number and email address of the passenger, that’s not all. In a screenshot Kumar shared with MediaNama (shown below), we were able to verify that the Indigo servers responded with the complete address of the passenger as well as alternate contact numbers if any.

Screenshot of the details one can access with PNR and the last name on Indigo’s website using network log. Sensitive details have been censored.

What was Indigo’s response?

“Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practised across all airline systems globally,” the airline stated in a tweet responding to the issue pointed out by Kumar.

Indigo also said that it remains “fully committed to consumer data privacy and industry benchmark cybersecurity standards” and that its “IT processes are completely robust and, at no point was the IndiGo website compromised.”

MediaNama has reached out to Indigo with additional queries and will update this post once we get a response.

Advertisement. Scroll to continue reading.

It’s not right just because it is a common practice

It’s true that almost all airlines allow you to get details of any passenger by entering their PNR and last name/mobile/email address. And in most cases, you don’t even have to go through the complicated process of using network logs to get these details. This is what allows passengers to conveniently web check-in, select dates, change contact information, change flight details, etc. But asserting that there is nothing wrong with this practice just because everyone does it is a logical fallacy known as Argumentum ad Populum or more commonly, the bandwagon fallacy. In other words, the fallacy is thinking something is true or better because the majority thinks so. After all, at one point in time, most people thought the earth was flat!

“Whatever has been happening has for a very long time, but times have changed now. Now, is the era of data. You have to work on making the data as secure as possible. You cannot be as casual as you have been so far,” Kumar told MediaNama.

Why is this “industry norm” a privacy risk?

Getting access to someone’s PNR and last name is not a complicated or hard task. For example, a passenger standing in front of you while boarding a flight is most likely holding their boarding pass, which has both these details prominently displayed. You can also just as easily take a photo of the information stickers on the bags while waiting at the baggage belt.

“When the manager from Indigo called me, I gave him a very simple example. Let’s say I am Bill Gates and I am travelling by your flight. Now I have my boarding pass in my hand and someone is standing behind me. Now that person takes note of the PNR and goes back and gets my complete contact details such as phone number, email, and address,” Kumar said. While it is unlikely that Bill Gates is travelling on a commercial airline, the example nevertheless highlights the privacy-invasive nature of this data leak, especially for prominent personalities. It can also be an equally, if not more, serious concern when it comes to stalking because a stalker can easily misuse this feature to track down their victim.

We also recently did a story on how hackers are increasingly relying on social engineering to target their victims. When sensitive personal data is so easily obtainable, the hackers’ job becomes so much easier.

What measures can be taken to preserve passenger privacy?

  1. Don’t have to show the mobile number and email: “In my opinion, you don’t even have to show the mobile number and email along with booking details. You can keep it on your server and use it whenever you need it, and that is fine because it will then be protected from public view,” Kumar told us when asked what can be done to increase safeguards. As far as Indigo goes, “What they do is, they send the data in response but don’t render in the website, so it’s better not to send the data or make the whole check-in or edit booking process more secure,” Kumar said.
  2. Have another layer of authentication: “You can also add another layer of authentication before showing sensitive details. Nowadays, every small website has two-factor authentication, so airlines can do that too,” Kumar opined.

Update (30 March, 7:50 pm):

In an emailed response, Indigo said:

Advertisement. Scroll to continue reading.

“We are reviewing this case in detail and we would like to state that our IT processes are completely robust and, at no point was the IndiGo website compromised. Our customer care team followed protocol by not sharing any other passenger’s contact details with another passenger. This is in line with our data privacy policies. Attempts were made by the customer care team to facilitate the exchange of baggage, but it could not be completed as the calls went unanswered. IndiGo remains fully committed to consumer data privacy and industry benchmark cybersecurity standards.”

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ