UPDATED 22:39 EST / JANUARY 30 2020

14874729583_93d58d92dc_c SECURITY

Indian discount airline SpiceJet suffers data breach affecting 1.2M customers

Indian discount airline SpiceJet Ltd. has suffered a data breach, with 1.2 million customer records accessed.

In a twist on the usual data breach stories, the data was accessed by a so-called “ethical hacker” who used a brute-force method that involved inputting commonly used passwords to gain access to one of SpiceJet’s systems. Brute-forcing involves an attacker submitting many passwords or phrases in the hope of eventually guessing correcting and gaining access, which is what occurred in this case.

The data accessed included the names of the passengers, phone numbers, email addresses and dates of birth, according to a report in TechCrunch Thursday. Some of the passengers included Indian government officials.

The unnamed researcher is said to have reached out to SpiceJet with the details of getting access but received no response. The researcher went on to inform CERT-In, an Indian government-run agency that handles cybersecurity. The agency alerted SpiceJet, which finally took measures to protect the database.

Despite ignoring the initial message that it had been compromised, SpiceJet issued a stock standard response to the news, claiming that “the safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data, which is a continuous process.”

“The SpiceJet breach demonstrates once again how weak password security can lead to chaos,” Matt Davey, chief operating officer at password manager company 1Password, told SiliconANGLE. “The ongoing spate of attacks due to weak passwords reinforces a basic truism: Good password practices are an essential yet surprisingly frequently overlooked component of cybersecurity.”

Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., noted several concerns with this incident. “From the researcher’s perspective, brute-forcing and gaining access to private data is not an acceptable practice,” he said. “If the researcher had concerns, they should have tried raising it with the airline directly.”

At the same time, he said, “the airline itself hasn’t apparently followed best practices through by not having a well-protected system that is not resilient to brute-forcing through account lock-outs, monitoring or two-factor authentication,” Malik added.

One issue that simply having unencrypted data on so many passengers, he added. “Being able to track people’s movements could lead to them being attractive targets of cyber or traditional criminals who may want to use the data to exploit the victims,” he said. “Affected passengers should also be wary in the coming weeks of any phishing emails that may claim to be from the airline offering a refund or some other hook to get them to click on a link and compromise them further.”

Bil Harmer, chief information security officer of security access management firm SecureAuth Corp., explained that administration-level access should never be exposed directly to the public internet. “What’s more, this underscores why password-only for administrative level access is beyond unacceptable,” he said.

“Attackers should not be able to simply walk through the front door and gain unauthorized access to the private details of 1.2 million passengers,” Harmer concluded. “This breach is another major wakeup call for organizations to improve their identity security approach — moving away from passwords and thinking about adaptive authentication that uses risk-based analysis techniques such as geographic location analysis, device recognition, IP reputation-based threat services and user behavior analytics.”

Photo: Paul Hamilton/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.