SpiceJet, one of India’s largest privately owned airlines, suffered a data breach involving the details of more than a million of its passengers, a security researcher told TechCrunch.
The security researcher, who described their actions as “ethical hacking” but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password. An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month, TechCrunch has learned.
Each record included details such as name of the passenger, their phone number, email address and their date of birth, the researcher told TechCrunch. Some of these passengers were state officials, they said.
The database included a rolling month’s worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.
The researcher alerted SpiceJet about the database, but said they never received a meaningful response. TechCrunch reviewed a sample of the passenger list as well as the researcher’s email correspondence with SpiceJet representatives.
The researcher later alerted CERT-In, a government-run agency in India that handles cybersecurity threats in the nation. The agency confirmed the security lapse, and alerted SpiceJet, which has since taken the necessary measures to protect the database.
An airline spokesperson said in a statement, “at SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
30/01/20 TechCrunch
To Read the News in full at Source, Click the Headline
The security researcher, who described their actions as “ethical hacking” but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password. An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month, TechCrunch has learned.
Each record included details such as name of the passenger, their phone number, email address and their date of birth, the researcher told TechCrunch. Some of these passengers were state officials, they said.
The database included a rolling month’s worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.
The researcher alerted SpiceJet about the database, but said they never received a meaningful response. TechCrunch reviewed a sample of the passenger list as well as the researcher’s email correspondence with SpiceJet representatives.
The researcher later alerted CERT-In, a government-run agency in India that handles cybersecurity threats in the nation. The agency confirmed the security lapse, and alerted SpiceJet, which has since taken the necessary measures to protect the database.
An airline spokesperson said in a statement, “at SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
30/01/20 TechCrunch
0 comments:
Post a Comment