SpiceJet was reportedly affected by a security flaw that exposed personal details of more than 1.2 million passengers, including flight information. The information is said to have been found in an unencrypted database file after a security researcher gained access to the SpiceJet system to force a password. For now, details about the hack are scarce, and the low-cost Indian airline has not revealed much in the boilerplate statement provided in response to the report.
As reported by TechCrunch, the breach was made by a security researcher who is not naming the publication, as they likely violated US computer hacking laws. The report elaborates to claim that the researcher has gained access to brute-forcing using one of SpiceJet’s systems, which is being called an “easily predictable password”. The system had until last month an unencrypted backup file with personal details of more than 1.2 million passengers, including details of a rolling month’s value such as name, phone number, email address, date of birth, and flight information.
The report said the researcher described their violation as “ethical hacking”, and contacted SpiceJet, but the airline never received a “meaningful response”. Only after the Ministry of Electronics and Information Technology (MEAT) was informed to the Indian Computer Emergency Response Team (CERT-In), the researcher’s findings were independently confirmed, and then informed to SpiceJet, that the breach was fixed .
Gadgets 360 reached out to a SpiceJet spokesperson to comment on the security flaw. With the researcher himself being reported to have breached the system and gain access to the database, security lapses could possibly be termed as better protection from breaches. It is uncertain whether the data was leaked, or that ‘ethical hackers’ ensured that the database did not fall into the wrong hands, and responsibly saw that the problem was fixed.
We received a statement from a SpiceJet in response to our query, stating that no breach occurred, “There was a data breach in any of SpiceJet’s servers. On SpiceJet, the security and security of our flyer’s data is sacrosanct. Our systems are fully capable. And flyer is always up-to-date to keep data secure which is a continuous process. Let’s take every measure possible to ensure that privacy is maintained at the highest and safest level. ”
Editor’s Note: A previous version of this article stated that SpiceJet confirmed to Tech Crunch that a security lapse had occurred. The publication has revised the article to remove all mentions of confirmation, and we have made changes to reflect this on the explanation from SpiceJet.