Akasa Air, India’s new airline which began operations earlier this month, exposed the personal data of thousands of its customers due to a technical glitch that affected its login and registration service.
Exposed data discovered by cybersecurity researcher Ashutosh Barotincluded the full names, gender, email addresses and phone numbers of customers registering and logging into Akasa Air’s website.
The researcher found an HTTP request leaking the data minutes after visiting Akasa Air’s website on its first day on August 7. He had initially tried to communicate directly with the airline’s security team based in Mumbai, but could not find direct contact.
“I contacted the airline through their official Twitter account, asking them for an email id to report the issue. They gave me email id info@akasa to which I did not share the details of the vulnerability as it might be handled by support staff or third party vendors.So I emailed them again and asked [the airline] provide [the] the email address of a member of its security team. I received no further communication from Akasa,” the researcher said.
After not receiving a response from the airline on how he can connect with the security team, the researcher notified TechCrunch of the issue.
Akasa Air responded quickly when we reached out and acknowledged that the issue had put 34,533 unique customer records at risk. The airline also said the data exposed did not include travel-related information or payment records.
Informed of the incident, Akasa Air closed its registration service. The airline also said it added additional checks before resuming service to the general public.
Additionally, the airline told TechCrunch that it is performing additional reviews to ensure the safety of all of its systems.
Akasa Air reported the incident to India’s nodal cybersecurity agency CERT-In and informed its affected users through a statement it also released on Sunday. He advised users to “be aware of possible phishing attempts” due to data exposure. Additionally, he confirmed to TechCrunch that he hasn’t seen any “annoying spike in access” to data.
“At Akasa Air, system security and the protection of customer information are paramount, and our goal is to always provide a secure and reliable customer experience. While extensive protocols are in place to prevent incidents of this nature, we have taken additional steps to ensure that the security of all our systems is further enhanced. We will continue to maintain our robust security protocols, engaging where appropriate with partners, researchers and security experts we can benefit from to strengthen our systems,” said Anand Srinivasan, co-founder and director of information at Akasa Air. prepared statement on this subject.
“I am pleased that the airline resolved the issue at short notice and reported it to CERT-In and informed their customers of the incident, which is an exemplary step,” the researcher said.
Data exposure and leak incidents are becoming commonplace in India, which withdrew the latest iteration of its data protection bill earlier this month. A number of national companies in the country also lack dedicated programs to reward and incentivize researchers to help find flaws in their systems.