SpiceJet was reportedly affected by a security flaw that exposed private details of more than 1.2 million passengers, including flight information. The information is said to have been found in an unencrypted database file after a security researcher gained access to a SpiceJet system by brute forcing the password. For now, details about the hack remain scarce, and the low-cost Indian airline has not revealed much in the boilerplate statement it provided in response to the report.
As reported by TechCrunch, the breach was by a security researcher who the publication is not naming, as they likely violated US computer hacking laws. The report elaborates to claim the researcher gained access to one of SpiceJet's systems by brute-forcing what's being termed as an "easily-guessable password." The system contained an unencrypted backup file with private details of over 1.2 million passengers, as of last month, including a rolling month's worth details such as name, phone number, email address, date of birth, and flight information.
The report[1] adds the researcher had described their breach as "ethical hacking", and had contacted SpiceJet[2], but never received a "meaningful response" from the airline. It was only after the Ministry of Electronics and Information Technology's (MeitY[3]) Indian Computer Emergency Response Team (CERT-In[4]) was notified, independently confirmed the researcher's findings, and then alerted SpiceJet, that the breach was fixed.
Gadgets 360 reached out to SpiceJet spokesperson to comment on the security flaw. With the researcher themselves being reported to breach the system and gaining access to the database, the security lapse could perhaps be better termed as a vulnerability than a breach itself. It remains uncertain whether the data was leaked, or the 'ethical hackers' ensured that the database didn't...