Akasa AirIndia’s new airline, which began operations earlier this month, exposed the personal data of thousands of customers as a technical glitch affected its login and registration services.
Exposed data discovered by cybersecurity researchers Ashutosh Barrotincluding the full name, gender, email address and phone number of customers who register and log in on the Akasa Air website.
On Aug. 7, researchers discovered an HTTP request after viewing Akasa Air’s website that disclosed minutes of data. He initially tried to communicate directly with the Mumbai-based airline’s security team, but no direct contact could be found.
“I contacted the airline through their official twitter account and asked them to provide an email id to report the issue. They gave me the info@akasa email id and I did not share the vulnerability details with them as it may have been caused by Support or a third-party vendor to handle. So, I emailed them again and asked [the airline] supply [the] The email address of someone on the security team. I have received no further communication from Akasa,” the researcher said.
After getting no response from the airline about how he contacted the security team, the researcher informed TechCrunch of the issue.
Akasa Air responded quickly when we contacted and acknowledged that the issue had put 34,533 unique customer records at risk. The airline also said the exposed data did not include travel-related information or payment records.
Upon learning of the incident, Akasa Air shut down its registration service. The airline also said it added additional controls before resuming service to the public.
Additionally, the airline told TechCrunch that it conducted additional scrutiny to ensure the safety of all of its systems.
Akasa Air reported the incident to Indian node cybersecurity agency CERT-In and notified its affected users in a statement, it also public Sunday. Due to the data exposure, it advised users to “be aware of possible phishing attempts”. Additionally, it confirmed to TechCrunch that it hasn’t seen a “surge in traffic” to the data.
“At Akasa Air, system security and the protection of customer information are paramount, and our focus is always on delivering a safe and secure customer experience. While extensive protocols are in place to prevent such incidents, we have taken additional steps to ensure that all of our The security of the system has been further enhanced, said Anand Srinivasan, co-founder and chief information officer of Akasa Air, in a prepared statement on the matter.
“I am pleased that the airline resolved the issue within a short period of time and reported it to CERT-In and informed its customers of the incident, which is a typical step,” the researchers said.
Data exposures and leaks are becoming more common in India, which withdrew the last iteration of its data protection bill earlier this month. Many domestic companies in the country also do not have dedicated programs to reward and incentivize researchers who help uncover flaws in their systems.
