Akasa Air, the latest entrant in India’s aviation sector, has reported a significant data breach attributed to a technical configuration flaw. The incident exposed sensitive personal information of customers, raising serious concerns about cybersecurity within the rapidly growing airline.
Security researcher Ashutosh Barot uncovered the vulnerability during the airline’s inaugural day of operations on August 7, 2022. He traced the issue back to the account registration process, revealing that basic information such as names, email addresses, gender, and phone numbers were inadvertently accessible.
Barot detailed his findings in a write-up, indicating that he discovered an HTTP request displaying personal data in JSON format. By modifying certain parameters in this request, he was able to obtain the personally identifiable information (PII) of other users, demonstrating a glaring oversight in Akasa Air’s data protection mechanisms.
Upon receiving Barot’s report, Akasa Air took immediate action by temporarily disabling sections of its system to implement additional security protocols. The incident was also reported to the Indian Computer Emergency Response Team (CERT-In), signaling a proactive approach to addressing the breach.
While the airline asserted that no sensitive travel or payment information had been compromised, it acknowledged the breach’s potential impact on user privacy. Akasa Air reached out directly to affected customers, although the full extent of the data leak remains unclear. The company urged users to be vigilant against potential phishing attacks that could arise from the incident.
This breach highlights significant gaps in cybersecurity practices, particularly in initial access vectors such as improper configuration management— a tactic recognized in the MITRE ATT&CK framework. Such vulnerabilities can lead to privilege escalation and exploitation, exposing user data. As businesses continue to digitize operations, maintaining robust security measures is critical to mitigating such risks.
The incident not only emphasizes the need for better security configurations but also serves as a reminder for businesses in similar sectors to remain constantly vigilant against potential data breaches. Implementing layered security protocols and continuously updating systems are vital strategies in the ever-evolving landscape of cybersecurity threats.
