Indian airline operator SpiceJet faced a data breach, as a security researcher managed to extract the details of more than a million of its passengers from an unencrypted database backup file on its system, reported TechCrunch.
The database had a rolling month’s worth of flight information, with personal details of each passenger, such as name, phone number, email address and their date of birth. Some of the details were of state officials, the report said.
The database, with an “easily guessable password” was open to anyone who had the knowledge of the company’s systems, the researcher told TechCrunch. The report did not name the security researcher as the "ethical hacking" done in this instance essentially broke the law.
OneLogin EMEA managing director Elle Lathrop termed the lax use of password “extremely concerning”.
"It's extremely concerning that a company the size of Spacejet is naive enough to rely on what's been reported as an 'easily-guessable' password, prone to brute-force attacks. Passwords continue to be the weakest link and brute-force attacks are a common method used by hackers to exploit weak passwords to penetrate systems and gain unauthorised access to an account,” Lathrop said.
“Attacks like this underscore the need to reinforce passwords with multi-factor authentication (MFA) and, ultimately, move beyond passwords to context-aware, smart authentication methods that remove the reliance on human factors."
The researcher alerted the airlines about the vulnerability, but after a dull response went straight to the national cyber-security watchdog CERT-In, which in turn pushed the company to take necessary action.
"Ethical hacking is easy to get wrong and hard to do right. In the case of SpiceJet, not much is known about the hacker except the apparent absence of malice and that they went to o CERT-In, although arguably they might have gone straight to SpiceJet,” commented Cybereason CISO Sam Curry.
“In the end, the concern is less about what this hacker did than about what others might have done or not up until now.”
The legality of this ‘ethical’ hack and its disclosure policy, apart, this is a typical example of a lack of security, noted Hugo van den Toorn, manager of offensive security at Outpost24.
“Whenever you are storing data and especially if it involves sensitive personally identifiable information (PII), that data should be classified and protected according to its classification.. High valued data, such as PII should either be stored internally or at least protected by multi-factor authentication if it has a valid reason to be accessible over the internet,” he suggested.
“This data was most likely never intended to be Internet facing, but unfortunately was. This is a typical example of how multiple missing layers of security results in the exposure of data.”
The carrier, which commands 13 percent of the sector’s traffic with connectingion operations to the Middle East and South Asia, maintains that its security measures were strong and updated, said the report.