India’s Akasa Air – A New Airline with a Typical Data Breach

Data breaches may occur for various reasons, but the results are the same – a huge risk to sensitive information. Unfortunately, companies all over the world are making it easier for cybercriminals by overlooking bugs that expose their customers’ data. That happened a couple of days ago with the newly launched Indian Airline – Akasa Air.

The company blames the data exposure on a technical configuration error. But for an airline that has been around for almost two years, such bugs should not exist.

Asaka Air promotes itself as a low-cost airline, but this breach will definitely cost a lot. Now, we have to ask: What data was exposed? How many have been affected? We’ll discuss everything below.

Akasa Air Breach – One Small Bug, A Huge Data Leak

Flaws and bugs are inevitable. Even the biggest companies in the world might have had their fair share of breaches of this sort in the past.

In fact, a lot of big names in the industry are still suffering from one of the biggest discovered vulnerabilities to date – Log4Shell.

Even Crypto ATMs have encountered data breaches due to vulnerabilities in the past few months. General Bytes – a Bitcoin ATM manufacturer – suffered a breach as threat actors successfully exploited a bug within their systems.

Now, Akasa Airlines is added to the mix as the newest victim of bugs and vulnerabilities. The problem isn’t just in the bug, it’s in what has been exposed in the process.

This vulnerability resulted in the exposure of critical details such as names, gender, email addresses, and phone numbers. Based on a report by security researcher Ashutosh Barot, the issue lies in the account registration process:

“I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format. I immediately changed some parameters in [the] request and I was able to see other user’s PII. It took around ~30 minutes to find this issue.”

According to Akasa Air, they did everything they can when they were made aware of the breach. Here’s what their report states:

On being made aware of this, we immediately stopped this unauthorised access by completely shutting down the associated functional elements of our system. Subsequently, having added additional controls to address this situation, we have resumed our login and sign-up services.

We self-reported the incident to CERT-In (which is the Government authorised nodal agency tasked to deal with incidents of this nature).

We have also notified the affected users of the above, have informed such users that this matter has been reported to CERT-In (which is the Government authorised nodal agency tasked to deal with incidents of this nature) and have advised users to be conscious of possible phishing attempts.

The company did not state how big is the scale of this breach. However, whatever it is, customers should watch out that cybercriminals might take advantage of this to perform malicious activities such as phishing attacks.

A Huge Data Exposure – There’s a Bug in the Airline

Akasa Air states that its main focus is to provide a secure and reliable customer experience. Unfortunately, that doesn’t seem to be the case here.

Critical information was left out in the open and Akasa had to cease its operations for a short while. Now, everything is back in place and the company clarified that no payment information was exposed.