Security flaw exposed more than 1.2 million Spicejet passengers details, the exposed details include the passenger name, phone number, email address and date of birth.
According to TechCrunch, a security researcher who described their actions as “ethical hacking” gained access to one of the SpiceJet’s systems by using the brute-forcing method.
The system contains an easily guessable password which lets the researcher gained access to the backup database.
The backup database is unencrypted and has the private information of more than 1.2 million passengers of the company.
The database also contains the rolling month’s flight information including the details of each commuter, reads TechCrunch report.
The researcher reached out to SpiceJet, but there is no valid response from them, later he alerted the CERT-In, a government-run agency in India that handles cybersecurity threats.
Later CERT-In, confirms the flaw and alerted SpiceJet to take necessary steps to secure the database.
A SpiceJet spokesperson said that “at SpiceJet, safety and security of our fliers’ data are sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
SpiceJet is a low-cost and second largest Indian airline, it has a market share of 13.6% as of March 2019. The company operates 630 flights daily.