UPDATED 22:39 EDT / JANUARY 30 2020

SECURITY

Indian discount airline SpiceJet suffers data breach affecting 1.2M customers

Indian discount airline SpiceJet Ltd. has suffered a data breach, with 1.2 million customer records accessed.

In a twist on the usual data breach stories, the data was accessed by a so-called “ethical hacker” who used a brute-force method that involved inputting commonly used passwords to gain access to one of SpiceJet’s systems. Brute-forcing involves an attacker submitting many passwords or phrases in the hope of eventually guessing correcting and gaining access, which is what occurred in this case.

The data accessed included the names of the passengers, phone numbers, email addresses and dates of birth, according to a report in TechCrunch Thursday. Some of the passengers included Indian government officials.

The unnamed researcher is said to have reached out to SpiceJet with the details of getting access but received no response. The researcher went on to inform CERT-In, an Indian government-run agency that handles cybersecurity. The agency alerted SpiceJet, which finally took measures to protect the database.

Despite ignoring the initial message that it had been compromised, SpiceJet issued a stock standard response to the news, claiming that “the safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data, which is a continuous process.”

“The SpiceJet breach demonstrates once again how weak password security can lead to chaos,” Matt Davey, chief operating officer at password manager company 1Password, told SiliconANGLE. “The ongoing spate of attacks due to weak passwords reinforces a basic truism: Good password practices are an essential yet surprisingly frequently overlooked component of cybersecurity.”

Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., noted several concerns with this incident. “From the researcher’s perspective, brute-forcing and gaining access to private data is not an acceptable practice,” he said. “If the researcher had concerns, they should have tried raising it with the airline directly.”

At the same time, he said, “the airline itself hasn’t apparently followed best practices through by not having a well-protected system that is not resilient to brute-forcing through account lock-outs, monitoring or two-factor authentication,” Malik added.

One issue that simply having unencrypted data on so many passengers, he added. “Being able to track people’s movements could lead to them being attractive targets of cyber or traditional criminals who may want to use the data to exploit the victims,” he said. “Affected passengers should also be wary in the coming weeks of any phishing emails that may claim to be from the airline offering a refund or some other hook to get them to click on a link and compromise them further.”

Bil Harmer, chief information security officer of security access management firm SecureAuth Corp., explained that administration-level access should never be exposed directly to the public internet. “What’s more, this underscores why password-only for administrative level access is beyond unacceptable,” he said.

“Attackers should not be able to simply walk through the front door and gain unauthorized access to the private details of 1.2 million passengers,” Harmer concluded. “This breach is another major wakeup call for organizations to improve their identity security approach — moving away from passwords and thinking about adaptive authentication that uses risk-based analysis techniques such as geographic location analysis, device recognition, IP reputation-based threat services and user behavior analytics.”

Photo: Paul Hamilton/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU