The cybersecurity researcher, as TechCrunch reports, was able to brute-force the system’s easily guessable password from the SpiceJet systems. Each record included passenger details like name of passenger, phone number, email address and date of birth. Additionally, the database included flight information and details of each commuter.
READ MORE: Data Privacy Day: Families need to talk about online safety
The size of the exposed data was considerable. The database contained a rolling month’s worth of flight information, with personal details of each passenger, such as name, phone number, email address and their date of birth. Some of the details were of Indian state officials. SpiceJet commands around 13 percent of the airline market share in India.
ALSO READ: How one digital company is embracing Consumer Privacy Act
The name of the security researcher who exposed the issue has not been disclosed as this form of so-termed ‘ethical hacking’ is illegal.
Commenting for Digital Journal on the issue, Anurag Kahol, CTO, Bitglass says that: “Managing personal data belonging to billions of passengers every year, the global airline industry must ensure that proper security controls are always in place. This security incident impacting SpiceJet customers exhibits how passwords alone are not enough to protect databases from hackers.”
Kahol offers advice for similar companies operating in the travel sector: “Organizations need to take the extra step and employ multi-factor authentication to confirm an individual’s identity before allowing data access.”
He also recommends that “to achieve full visibility and control over customer data, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive consumer information.”