The Indian airline, Spicejet on Friday rubbished reports about a security breach on their systems. Report about an alleged data breach on the airline’s systems was first reported by the tech website, Techcrunch, but the airline has denied that such a breach has taken place.
Techcrunch on Friday reported that a security researcher was able to gain access to SpiceJet systems by brute-forcing the system’s password. In tech terms, brute force is an attempt to obtain a password or a PIN by repetitive trial and error attempts to guess the password. The researcher was able to guess the relatively easy password and upon entering the system, found an "unencrypted database backup file" containing information of over 1.2 million passengers who have used the airline in December 2019.
The file revealed passenger details such as their names, phone numbers, date of birth, the details of government officials also were available in the database, reported the website.
Apart from private information of passengers, the database also included flight information and other details that are sensitive. The researcher reportedly told Techcrunch that the database was easily accessible for those who knew where to look.
The researcher even approached the airline, informing them about the database being made available and risks of leaving it easily accessible. Techcrunch reported that the researcher received a poor response from the airline when the flaw was pointed out. The website claims to have confirmed the potential security lapse and alerted Spicejet themselves after which steps were taken to protect the database.
The airline spokesperson speaking to TNM said that the tech website misreported that there has been a security breach and that the airline has accepted that there was a breach, "They have rectified their mistake, it was an error from their side," The spokesperson also added, "There was no data breach in any of SpiceJet’s servers. At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.
The airline had also threatened legal action against Techcrunch for 'misreporting'.