There was an incident involving India’s newest airline, Akasa Air that exposed thousands of individual customers’ personal data. A technical configuration error was blamed by the company as the reason for this exposure.
This security flaw has been identified by the security researcher Ashutosh Barot, and here’s what he stated:-
“Due to a flaw that was present in the account registration process, thousands of sensitive customer data were exposed, resulting in the theft of confidential information.”
Here below we have mentioned all the data types exposed in this incident:-
- Email addresses
- Phone numbers
While he was investigating, he discovered that there was an HTTP request being made. A JSON formatted response was sent to him in response to this request.
In an attempt to make the request more accurate, he immediately made some changes to the parameters. As a result, he was able to see the personal information of other users, and it took just 30 minutes only.
As soon as the low-cost airline began operating in the country on August 7, 2022, the bug was identified. While the company has already been informed of this incident by Barot.
The company has currently shut down a few of the most critical components of its system as part of a mitigation strategy for the situation. As part of the investigation, the company has also notified the CERT-In of the incident.
The glitch has not yet been exploited in the wild, and there is no evidence that it has been done so. Further confirmation from Akasa Air has been made that no information pertaining to travel or billing has been misused.
Moreover, the airline noted that affected users had been directly notified about the incident by the airline. However, the extent to which the leak has spread remains unclear at the moment.
It is recommended that users are aware of the possibility of phishing attempts and be vigilant. In terms of security incidents in Indian companies, this is something that has never been seen before.
Download Free SWG – Secure Web Filtering – E-book