SpiceJet, one of the largest privately owned airlines in India, was affected by a data breach which involved the details of more than a million of its passengers.
A security researcher, who described their actions as “ethical hacking” gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password. An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the airlines.
The data includes details such as passenger’s name, phone number, email address and their date of birth and some of these passengers were state officials.
The database also included a rolling months’ worth of flight information and details of each commuter and this database was easily accessible for anyone who knew where to look.
The researcher first contacted the SpiceJet regarding the issue but did not receive any response. Later they alerted CERT-In, a government-run agency in India that handles cybersecurity threats in the nation. The agency confirmed the security failure and alerted SpiceJet. The company then took the necessary measures to protect the database.
According to an airline spokesperson, at SpiceJet, safety and security of their fliers’ data is sacrosanct. Their systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. They undertake every possible measure to safeguard and protect the data and ensure that the privacy is maintained at the highest and safest level.
SpiceJet has around 13% of the market share in India, which is the fastest growing aviation market globally. The airline flies more than 600 planes daily that includes several flights that connect India to foreign regions such as Dubai and Hong Kong. About 12 million people in India fly each month.