Indian airline SpiceJet has become the latest company to suffer from a massive data breach that had compromised the personal information of millions of passengers.
The lapse, which was discovered by an unnamed security researcher through a practice called “ethical hacking,” involves an easily accessible database that contains private information of over 1.2 million SpiceJet passengers for the last month. According to TechCrunch, the researcher was able to discover the unencrypted database by “brute-forcing the system’s easily guessable password.”
Among the details present in the file includes the passengers’ names, phone numbers, email addresses, and dates of birth. Some of the affected individuals were even disclosed to be state officials.
“The database was easily accessible for anyone who knew where to look,” the report added.
In an effort to prevent criminals from accessing the database, TechCrunch said that the ethical hacker has notified SpiceJet about the database but failed to “received a meaningful response.”
The researcher later reached out to the Indian cybersecurity agency CERT-In, who later confirmed the security lapse and alerted SpiceJet about the unencrypted file.
In a later statement, SpiceJet, however, dismissed the data breach report and even claimed that there was no security lapse in its systems.
“There was no data breach in any of SpiceJet’s servers. At SpiceJet, the safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level,” a SpiceJet spokesperson explained.
Incorporated in 1984 with the name Genius Leasing Finance and Investment Company Ltd, SpiceJet now serves as one of India’s largest privately-owned airlines. It is best known for its affordable airfares and is currently operating more than 600 daily flights on an average to 62 destinations.
The report of the breach makes SpiceJet the latest airline to be hit by a major data breach. In 2018, Hong Kong airline Cathay Pacific suffered from a similar incident, exposing the details of more than 9 million customers, including their names, nationalities, phone numbers, addresses, and passport numbers.
“Attackers should not be able to simply walk through the front door and gain unauthorized access to the private details of 1.2 million passengers,” Bil Harmer, chief information security officer of SecureAuth Corp. said in an interview with Silicon Angle.
“This breach is another major wakeup call for organizations to improve their identity security approach — moving away from passwords and thinking about adaptive authentication that uses risk-based analysis techniques such as geographic location analysis, device recognition, IP reputation-based threat services and user behavior analytics,” he added.