Akasa AirThe newly launched Indian airline, which started operations earlier this month, exposed the personal data of thousands of its customers due to a technical issue that affected its check-in and check-in service.
The exposed data discovered by a cybersecurity researcher Ashutosh Barotincluded the full names, gender, email addresses and phone numbers of customers who register and log in to the Akasa Air website.
The researcher discovered an HTTP request revealing the data minutes after browsing Akasa Air’s website on its August 7 launch day. He initially tried to communicate directly with the Mumbai-based airline’s security team, but found no direct contact.
“I contacted the airline through their official Twitter account, asking them for an email ID to report the issue. They gave me the email address info@akasa where I did not share the details of the vulnerability because it could be handled by service personnel or third party vendors. So I emailed them again and asked [the airline] delivers [the] email address of one of their security team. I did not receive any further message from Akasa,” the researcher said.
After not getting a response from the airline on how to contact the security team, the researcher informed TechCrunch about the issue.
Akasa Air was quick to respond when contacted and acknowledged that the issue had put 34,533 unique customer records at risk. The airline also said the disclosed data did not include travel-related information or payment records.
After being notified of the incident, Akasa Air closed its check-in service. The airline also said it had added additional controls before resuming service to the general public.
The airline also told TechCrunch that it has performed additional reviews to ensure the security of all its systems.
Akasa Air reported the incident to India’s nodal cyber security agency CERT-In and notified its affected users through a statement that it also became public domain on Sunday. It advised users to “be aware of possible phishing attempts” due to data exposure. Additionally, he confirmed to TechCrunch that he hasn’t seen an “adverse spike in access” to the data.
“At Akasa Air, system security and the protection of customer information is paramount and our focus is to always provide a secure and reliable customer experience. While extensive protocols are in place to prevent incidents of this nature, we have taken additional measures to ensure that the security of all our systems is even further enhanced. We will continue to maintain our robust security protocols, engaging when applicable with partners, researchers and security experts we can leverage to strengthen our systems,” Anand Srinivasan, Co-Founder and Chief Information Officer of Akasa Air said in a prepared statement on the matter.
“I am glad that the airline corrected the problem in a short time and reported it to CERT-In as well as informed its customers about the incident, which is an exemplary step,” the researcher said.
Data disclosure and leakage incidents are becoming common in India which withdrew the latest iteration of its data protection bill earlier this month. A number of domestic companies in the country also do not have special programs to reward and incentivize researchers who help find flaws in their systems.