Akasa Air exposed sensitive records of thousands of customers

Akasa Air, India’s newly launched airline that began operations earlier this month, exposed the personal data of thousands of its customers because of a technical glitch that affected its login and sign-up service.

The exposed data, discovered by cybersecurity researcher Ashutosh Barot, included full names, gender, email addresses and phone numbers of customers signing up and logging in on the Akasa Air website.

“I reached out to the airline via their official Twitter account, asking them for an email ID to report the issue. They gave me the info@akasa email ID to which I didn’t share the vulnerability details because it might be handled by support staff or third party vendors. So, I emailed them again and asked [the airline] to provide [the] email address of someone from their security team. I received no further communication from Akasa,” the researcher said.

Akasa Air quickly responded when we reached out and acknowledged that the issue had put 34,533 unique customer records at risk. The airline also said the exposed data did not include travel-related information or payment records.

On being made aware of the incident, Akasa Air shut down its sign-up service. The airline also said that it added additional controls before resuming its service to the general public.

“At Akasa Air, system security and protection of customer information is paramount, and our focus is to always provide a secure and reliable customer experience. While extensive protocols are in place to prevent incidents of such nature, we have undertaken additional measures to ensure that the security of all our systems is even further enhanced. We will continue to maintain our robust security protocols, engaging wherever applicable, with partners, researchers, and security experts from whom we can benefit to strengthen our systems,” Anand Srinivasan, Co-Founder and Chief Information Officer at Akasa Air, said in a prepared statement on the matter.

“I am glad the airline fixed the issue on short notice and reported it to CERT-In as well as informed its customers about the incident, which is an exemplary step,” the researcher said.

191 views0 comments