Due to a technical issue that hampered its login and sign-up services, Akasa Air, a recently formed airline in India that started operations earlier this month, had the personal information of thousands of its customers exposed.
Ashutosh Barot, a cybersecurity researcher, found the exposed data, which included the full names, genders, email addresses, and phone numbers of users registering and logging in on the Akasa Air website. Within minutes of visiting Akasa Air’s website on August 7 for the first time, the researcher discovered an HTTP request revealing the data. He had initially looked for a direct line of contact with the airline’s security staff stationed in Mumbai but was unable.
The researcher notified TechCrunch about the problem after not receiving a response from the airline regarding how he could contact the security team.
When we contacted Akasa Air, they reacted almost immediately and admitted that the problem had put 34,533 distinct customer records in danger. The airline added that neither payment records nor information connected to travel were included in the compromised data.
When Akasa Air learned about the incident, it stopped offering sign-ups. The airline added more restrictions before starting its regular public service, according to their statement. The airline also disclosed to TechCrunch that it performed further checks to guarantee the security of all of its systems.
Through a statement that it also made public on Sunday, Akasa Air informed its impacted users of the problem and reported it to India’s nodal cybersecurity body CERT-In. Because of the data vulnerability, it warned users to “be aware of potential phishing efforts.” It also told TechCrunch that it has not noticed a “unwanted rise in access” to the data.
