Not even a month since it launched services, Akasa airline has reported its first data breach. The exposed data includes information such as names, genders, email addresses and phone numbers of some Akasa passengers, the airline informed on Sunday.
In a statement, Akasa said that a temporary technical configuration error related to login and sign-up service was reported on August 25.
“As a result of this configuration error, some Akasa Air registered user information limited to names, gender, email addresses and phone numbers may have been viewed by unauthorised individuals. We can confirm that aside from the above details, no travel-related information, travel records or payment information was compromised,” it said.
The glitch was discovered by ethical hacker, Ashutosh Barot, “As part of recon process, I explored domains, subdomains, Internet-facing IT infrastructure of Akasa Air, then I noticed their registration page,” Barot said, adding that after creating the profile, he went and searched for his own personal information.
“I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format. I immediately changed some parameters in request and I was able to see other user’s PII. It took around ~30 minutes to find this issue.”
Barot, in his blog, added that he reached out to the airline to get this issue resolved. The airline, too, promptly responded.
The airline, in its statement, further clarified that as per its records there was no intentional hacking attempt. Further, Akas added that it self-reported this incident to the Indian Computer Emergency Response Team CERT-In, which is the government-authorized nodal agency tasked to deal with matters of this nature.
Anand Srinivasan, Co-Founder and Chief Information Officer at Akasa Air, on the incident. “At Akasa Air, system security and protection of customer information is paramount, and our focus is to always provide a secure and reliable customer experience. While extensive protocols are in place to prevent incidents of such nature, we have undertaken additional measures to ensure that the security of all our systems is even further enhanced. We will continue to maintain our robust security protocols, engaging wherever applicable, with partners, researchers, and security experts from whom we can benefit to strengthen our systems.”
The airline has also sent emails to its passengers over the weekend post the incident.
Akasa Air launched commercial flight operations on August 7 by operating its first service on the Mumbai-Ahmedabad route using B737 Max aircraft. In November last year, Akasa ordered 72 B737 Max planes from Boeing. Currently, it has inducted three out of the 72 aircraft. Akasa Air’s fleet size will be 18 aircraft by the end of March 2023 and over the next four years, the airline will add 54 additional aircraft, taking its total fleet size to 72 aircraft.
Akasa has said it plans to establish a strong pan-India presence, with a focus on the metro to tier 2 & 3 route connectivity. Currently, it operates flights to and from Mumbai, Chennai, Bengaluru, Kochi and Ahmedabad.