SpiceJet has been hit with a cyber breach that has seen the personal information for as many as 1.2 million of its passengers, according to reports.
The news comes via TechCrunch’s Manish Singh and Zack Whittaker, who wrote that a security researcher who labeled themselves as an ‘ethical hacker’ informed them of the breach on more than a million passengers of one of India’s largest carriers.
“The security researcher, who described their actions as ‘ethical hacking’ but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password. An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month,” according to their report.
These records included the names, phone numbers, email addresses and dates of birth, which was concerning for security researchers considering there were some state officials listed in the database.
That unnamed source also said that they believed the database remained easily accessible for anyone “who knew where to look,” according to TechCrunch.
“The researcher alerted SpiceJet about the database, but said they never received a meaningful response. TechCrunch reviewed a sample of the passenger list as well as the researcher’s email correspondence with SpiceJet representatives.”
After several unsuccessful attempts, the hacker alerted CERT-In, a government agency in India responsible for responding to domestic cybersecurity threats. CERT-In reviewed the situation and confirmed several flaws in SpiceJet’s system, alerting the airline of the necessary changes to ensure its security.
SpiceJet has secured nearly 13% of the world’s fastest-expanding market for air cariers- India.
The airline has since responded to these reports, stating that “at SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest levels,” they said.