Home Hacking News Popular Indian Airline SpiceJet Exposed Easily Brute-Forceable Database Containing 1.2 Million Customers

Popular Indian Airline SpiceJet Exposed Easily Brute-Forceable Database Containing 1.2 Million Customers

by Abeerah Hashim
SpiceJet leaked data

SpiceJet, the second-largest airline in India, has now made it to the news. Reportedly, SpiceJet leaked data of around 1.2 million customers after leaving data on an unsecured server.

SpiceJet Leaked Data Via Unsecured Server

As revealed, SpiceJet, the popular airline known for its low prices, leaked data of over a million customers online.

According to the details shared in their blog post, a researcher managed to hack one of SpiceJet’s systems. With a simple brute-force, the researcher succeeded in accessing the stored information in unencrypted form.

This unencrypted database, as discovered, contained private information of over 1.2 million customers who utilized the services of the airline in the previous month. Specifically, the leaked details included passengers’ names, birth dates, phone numbers, and email addresses. The affected passengers also included some state officials, which further worsens the matter.

SpiceJet Secured The Database After Initial Unresponsiveness

The researcher believed anyone with an internet connection knowing “where to look” could access the information.

After this discovery, the researcher first alerted SpiceJet regarding the matter. However, due to the lack of a “meaningful response”, he then reported it to the CERT-In. The agency confirmed the issue and alerted SpiceJet who then secured the database.

According to a statement by an airline’s spokesperson,

At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.

TechCrunch refrained from mentioning the name of the researcher owing to legal issues. As stated in their post, the researcher “likely fell afoul of U.S. computer hacking laws”.

Let us know your thoughts in the comments.

You may also like