Poor security practices at Indian airline: data of 1.2M customers breached

Ethical hacker breached SpiceJet servers by using a simple brute-forcing technique

SpiceJet, one of the fastest-growing Indian air carriers, was recently exposed to practicing poor data security measures. As first reported by Tech Crunch,^[1] the cybersecurity incident possibly exposed details of more than 1.2 million passengers, which included information like names, phone numbers, dates of birth, and phone numbers.

According to the news article, an anonymous security researcher managed to breach SpiceJet's systems by using a simple brute-force attack – the easily-guessable password was used, which immediately granted unauthorized access to passengers' information, compiled inside a database. The name of the researcher was not disclosed due to violation of the U.S. hacking laws, as the act could result in a lawsuit due to inadequate computer hacking practices.

Upon discovery, the researcher immediately contacted the budget airline, reporting about the security flaw that could easily be exploited by malicious actors who know where to look. However, SpiceJet failed to respond to the claims, and Tech Crunch was provided with the evidence of potential data breach. 

SpiceJet did not acknowledge the data breach

After not receiving a response from the carrier, the security researcher contacted Tech Crunch, providing a sample of the information held on the database as proof. Upon closer inspection, it turned out that some of the passengers were government officials.

Still failing to hear anything from SpiceJet, the anonymous ethical hacker contacted the state cybersecurity agency in India CERT-In (Computer emergency response team), which confirmed that security issues are relevant. Luckily, this prompted the airline to respond and fix the vulnerabilities within the leaky database. Hopefully, an adequate password is now protecting millions of users from various harm that follows the data breach.

The statement from the spokesperson from SpiceJet stated the following:^[2] 

At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.

Despite that, the airline did not mention anything about the breach and the poorly protected database.

Far bigger issue than it seems

There is no evidence currently that the personal information of 1.2 million passengers was actually stolen, as the company strictly denies any type of data breach. However, there are numerous red flags of the event, and the timely detection of vulnerabilities exposed by the anonymous researcher potentially saved millions from harm.

The database was compiled of one month's worth of flying information, along with personal data of the passengers. Protecting such information with a weak password, as well as not applying the two-factor authentication, is a huge security risk on its own,^[3], although it turns out that this data was also not encrypted. Encryption is one of the standards that should be practiced by all companies and organizations that deal with customer data, although incidents like this prove that they are not quite there yet.

In case cybercriminals would have gained access to people's movements across the country and beyond, the information could be used for various malicious deeds – considering that government officials and businessmen also use the carrier. Besides, those affected could become victims of targeted phishing attacks, which could result in malware intrusion, money loss, or even identity theft.^[4]

SpiceJet is one of the largest-growing low-cost airlines in the country, representing over 13% of the market share in India. The carriers' fleet consists of 115 Boeing and Bombardier-type aircraft and operates 630 daily flights, carrying passengers to 64 destinations locally and abroad.^[5]