India’s newest commercial airline, Akasa Air, exposed personal data belonging to its customers. The company blamed these data leaks on technical configuration errors.
Ashutosh Barot, a security researcher, added that this issue originated in the account registration process, leading to the exposure of personal information such as gender, email addresses, names, and phone numbers.
The bug was identified on 7th August 2022, the same day that the airline commenced its operations in the country.
Barot wrote in a report that: “[he] found an HTTP request which gave [his] name, email, phone number, gender, etc. in JSON format. [He] immediately changed some parameters in [the] request and was able to see other user’s PII. It took around ~30 minutes to find this issue.”
Once the company had received the report, they temporarily shut down parts of its system to incorporate additional security guardrails. The low-budget airline also reported the incident to the Indian Computer Emergency Response Team (CERT-In).
Akasa Air emphasised that no payment or travel-related details were left accessible. There is also no evidence that the glitch was exploited in the wild whilst exposed.
The airline said that it has directly affected users on the incident, although the scale of the leak remains unclear. Akasa Air added that it “advised users to be conscious of possible phishing attempts.”