Indian airline SpiceJet has reportedly suffered a data breach that exposed the details of over 1.2 million passengers. The breached data was found in an unencrypted database file after a security researcher accessed by brute-forcing the password.
The security researcher’s identity is hidden as they are likely to have violated the US computer hacking laws, according to a TechCrunch report. The researcher gained access to one of SpiceJet’s systems by brute-forcing its easily guessable password. They then got access to private information of 1.2 million passengers of the low-cost airline carrier.
The records contained information like name, contact number, email address and their date of birth. Some records include information of state officials, the report added.
The researcher claims to have informed SpiceJet about the vulnerable database, but never received a ‘meaningful response’. They then informed the Computer Emergency Response Team (CERT-In), which confirmed the security lapse, and further informed SpiceJet to take necessary measures for strengthening its database security.
In its statement to TechCrunch, SpiceJet said, “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”