Spicejet Failed to Protect 1.2 Million Customers' Data From Hackers

SpiceJet Data Breach

Security researchers often criticize the PR teams of cyberattack victims for mishandling the incident, and it must be said that frequently, in their attempts to minimize the embarrassment, spokespeople tend to say things that are either inappropriate or plain wrong. Take SpiceJet, for example.

With a fleet of over 100 aircraft, SpiceJet is one of the biggest airlines in India, and quite a few people fly with it regularly. In the aftermath of a recent data breach, a SpiceJet spokesperson said that the "safety and security of fliers' data is sacrosanct" and that the airline's employees "undertake every possible measure to safeguard and protect this data." If you have a look at how the actual breach happened, however, you'll find few things to suggest that this is true.

The private information of over 1.2 million passengers was protected by a weak password

First reported by TechCrunch on Thursday, the incident took place last month. Back then, a security researcher gained access to one of the airline's servers after guessing the weak password that was protecting it.

Once inside, the hacker saw an unencrypted database that contained the personal information of over 1.2 million people who had flown with SpiceJet during the previous four weeks. The details included names, phone numbers, email addresses, and dates of birth. Although SpiceJet is considered a budget carrier, the database held the personal data of state officials as well, and the researcher told TechCrunch that it was "easily accessible for anyone who knew where to look."

SpiceJet didn't react to the data breach notification

The claims that the airline takes "every possible" measure to ensure fliers' data privacy are starting to fall apart, but there are other issues as well. After discovering the weak password and the unencrypted database, the security researcher immediately tried to contact SpiceJet and let them know what was going on. The hacker received "no meaningful response," however.

Seeing that this was going nowhere, the researcher then shared their findings with India's Computer Emergency Response Team (CERT-IN). The agency confirmed the issue and put pressure on SpiceJet to fix it. Finally, the database was taken offline.

Despite this, SpiceJet hasn't officially confirmed the breach and has yet to publicly share any sort of information on the incident – a behavior that, you have to agree, isn't completely in line with what the airline's spokespeople told the media.

An ethical hacker or a criminal?

The server that hosted the exposed database wasn't completely exposed. It was protected by a weak password, and although you might argue that this is as good as leaving it wide open, the fact that the security researcher even tried to guess the login credentials could land them into trouble.

In many countries, if you compromise a system that doesn't belong to you, you are punishable by law, regardless of your intentions. That's why, although they claim that they brute-forced their way into SpiceJet's system to help the airline secure its customers' data properly, the researcher preferred to remain anonymous and avoid the court bench. It's up to you to decide whether the laws are perfect in this particular aspect, and while you're at it, you might want to consider one more thing.

The law isn't quite so strict in other cases. If, for example, you fail to properly protect the personal data of more than 1 million people, you can come up with a boilerplate "we take security very seriously" statement and even refuse to admit to your mistakes. In many parts of the world, you won't be contradicting any laws. You'll be the judge on whether this is particularly fair.

January 31, 2020