Akasa Air, India’s newly founded airline that began operations earlier this month, exposed the personal information of thousands of its clients due to a technical malfunction that crippled its login and sign-up service.
Ashutosh Barot, a cybersecurity researcher, uncovered the exposed data, which includes full names, gender, email addresses, and phone numbers of consumers signing up and logging in on the Akasa Air website.
“I reached out to the airline via their official Twitter account, asking them for an email ID to report the issue. They gave me the info@akasa email ID to which I didn’t share the vulnerability details because it might be handled by support staff or third party vendors. So, I emailed them again and asked [the airline] to provide [the] email address of someone from their security team. I received no further communication from Akasa,” the researcher said.
When we contacted Akasa Air, they responded swiftly and acknowledged that the issue had put 34,533 unique customer records at risk. The airline added that neither payment records nor information connected to travel was included in the compromised data.
When Akasa Air learned about the incident, it stopped offering sign-ups. The airline added more restrictions before starting its regular public service, according to their statement.
Co-founder and Akasa Air’s chief information officer, Anand Srinivasan, made the following comments in a prepared statement “At Akasa Air, system security and protection of customer information is paramount, and our focus is to always provide a secure and reliable customer experience. While extensive protocols are in place to prevent incidents of such nature, we have undertaken additional measures to ensure that the security of all our systems is even further enhanced. We will continue to maintain our robust security protocols, engaging wherever applicable, with partners, researchers, and security experts from whom we can benefit to strengthen our systems”. “I am glad the airline fixed the issue on short notice and reported it to CERT-In as well as informed its customers about the incident, which is an exemplary step,” the researcher said.