In recent months it has become very common to hear reports of information security incidents occurring on airlines around the world. This time, the affected company is SpiceJet, one of India’s largest private airlines, which has become the most recent data breach victim; the incident involves information of more than one million users.
The researcher gained access to one of SpiceJet systems using brute force methods, an easy task since these systems were protected with a very weak password. The researcher mentions that later he found a database containing the information of 1.2 million airline users.
The information was revealed by an anonymous researcher and published by various specialized platforms. Although the alleged investigator considers his work as ethical hacking, he argues that it is impossible for him to reveal his identity, as in the process he has violated some laws related to hacking and information security activities in the US.
Regarding the compromised information, each record is unique and includes details such as:
- Full names
- Phone numbers
- Email addresses
- Birth dates
To make matters worse, the researcher claims that many of these records belong to state officials who have travelled through SpiceJet. The database has records of about a continuous month of activities and is available to anyone who knows where to look for this kind of information.
The researcher claims he tried to contact the airline’s IT staff, although he did not get a satisfactory response. Faced with the company’s no action, the expert chose to notify CERT-In, public agency responsible for managing information security incidents within India territory. CERT staff corroborated the investigator’s claims and notified SpiceJet of the incident.
A SpiceJet spokesperson said: “The security of our users’ information is our priority. Our systems have the best protections and are frequently updated to prevent any information security incidents. We have taken every possible measure to maintain the highest security standards.”
SpiceJet operates about 13% of the airline market in India. With more than 600 flights a day, this is one of the fastest growing businesses in Asia, so it’s vital that their IT teams operate with industry best practices.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.