Akasa AirIndia’s newly launched airline that started operations earlier this month has made the personal details of thousands of its customers public due to a technical glitch affecting its login and signup service.
The exposed data, discovered by cybersecurity researcher Ashutosh Barotoincluding full names, gender, email addresses and phone numbers of customers who sign up and log in to the Akasa Air website.
The researcher found an HTTP request releasing the data minutes after looking at Akasa Air’s website on opening day on Aug. 7. He had initially tried to communicate directly with the Mumbai-based airline’s security team, but found no direct contact.
“I contacted the airline through their official Twitter account and asked them for an email address to report the issue. They gave me the email ID [email protected] to which I did not share the details of the vulnerability as it may be handled by support staff or third party vendors. So I emailed them again and asked: [the airline] to provide [the] email address of someone on their security team. I have received no further communication from Akasa,” the researcher said.
After the airline had not received a response on how to contact the security team, the researcher informed londonbusinessblog.com about the issue.
Akasa Air was quick to respond when we contacted us, acknowledging that the issue had compromised 34,533 unique customer records. The airline also said the exposed data did not include travel-related information or payment details.
When Akasa Air was notified of the incident, the sign-up service shut down. The airline also said it has added additional checks before resuming its service to the general public.
In addition, the airline told londonbusinessblog.com that it has conducted additional assessments to ensure the security of all of its systems.
Akasa Air reported the incident to the Indian cybersecurity agency CERT-In and informed the affected users through a statement that it also made public on Sunday. It advised users to “be aware of possible phishing attempts” because of the data exposure. It further confirmed to londonbusinessblog.com that it did not see an “unwanted spike in access” to the data.
“At Akasa Air, system security and protecting customer information is paramount, and our focus is to always provide a safe and reliable customer experience. While there are extensive protocols in place to prevent such incidents, we have taken additional measures to ensure that the security of all our systems is further enhanced. We will continue to maintain our robust security protocols and, where appropriate, work with partners, researchers and security experts from whom we can take advantage to strengthen our systems,” said Anand Srinivasan, co-founder and Chief Information Officer at Akasa Air, in a statement. drawn up.
“I am pleased that the airline resolved the issue at short notice and reported it to CERT-In and informed its customers about the incident, which is an exemplary step,” said the researcher.
Incidents of data exposure and leaks are becoming more common in India, which earlier this month repealed the latest iteration of its data protection law. A number of domestic companies in the country also do not have special programs to reward and encourage researchers who help find flaws in their systems.