Akasa Air, A technical issue that disrupted the login and sign-up services for India’s recently launched airline, which started operating earlier this month, resulted in the exposure of thousands of its customers’ personal information.
Ashutosh Barot, a cybersecurity expert, found that the Akasa Air website had disclosed full names, gender, email addresses, and phone numbers of users who were registering and checking in.
The researcher looked at Akasa Air’s website on August 7, the company’s first day of operation, and within minutes found an HTTP request providing the data. He had first tried directly contacting the airline’s security personnel, but he had been unsuccessful.
“I requested an email address from the airline through their official Twitter account in order to report the issue. They gave me the info@akasa email address, but I refrained from using it to convey the vulnerability information out of concern that it would find up in the hands of outsiders or customer support agents. I sent [the airline] another email asking for a member of their security team’s email address. Akasa didn’t reply to my future messages “said the researcher.
The researcher didn’t hear back from the airline regarding how he could get in touch with the security team, so he informed TechCrunch about the issue.
When we contacted Akasa Air, they responded relatively immediately and acknowledged that the issue had put the safety of 34,533 different customer records in jeopardy. The airline further stated that the hacked data did not contain any information related to travel or payment records.
When Akasa Air became aware of the issue, sign-ups were no longer being accepted. According to their statement, the airline increased the limitations before beginning its regular public service.
The airline also disclosed to TechCrunch that it performed further checks to guarantee the security of all of its systems.
Akasa Air reported the incident to India’s nodal cybersecurity agency CERT-In and notified its affected users through a statement that it also made public on Sunday. It advised users “to be conscious of possible phishing attempts” due to the data exposure. Further, it confirmed to TechCrunch that it did not see an “untoward spike in access” to the data.
“System security and the safety of client information are of the utmost importance to Akasa Air, and our goal is to always deliver a secure and dependable customer experience. Despite the fact that we have numerous safeguards in place to stop instances of this sort, we have also taken further steps to ensure that the security of all our systems is even higher. Anand Srinivasan, co-founder and chief information officer at Akasa Air, made the announcement in a prepared statement. “We will continue to maintain our rigorous security protocols, engaging wherever applicable, with partners, researchers, and security experts from whom we can benefit to strengthen our systems,” he added.
“I am glad the airline fixed the issue on short notice and reported it to CERT-In as well as informed its customers about the incident, which is an exemplary step,” the researcher said.
Incidents of data exposure and leaks are becoming common in India, which withdrew the last iteration of its data protection bill earlier this month. A number of domestic companies in the country also do not have dedicated programs to award and incentivize researchers helping to find flaws in their systems.