Experts On Data Breach At Indian Airline SpiceJet Affects 1.2 Million Passengers

It has been reported that SpiceJet, one of India’s largest privately owned airlines, has acknowledged a data breach involving the details of over a million of its passengers. The database included a rolling month’s worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.

Experts Comments

January 31, 2020
Elle Lathrop
Managing Director, EMEA
OneLogin
It's extremely concerning that a company the size of Spacejet is naive enough to rely on what's been reported as an 'easily-guessable' password, prone to brute-force attacks. Passwords continue to be the weakest link and brute-force attacks are a common method used by hackers to exploit weak passwords to penetrate systems and gain unauthorised access to an account. Attacks like this underscore the need to reinforce passwords with multi-factor authentication (MFA) and, ultimately, move beyond.....Read More
It's extremely concerning that a company the size of Spacejet is naive enough to rely on what's been reported as an 'easily-guessable' password, prone to brute-force attacks. Passwords continue to be the weakest link and brute-force attacks are a common method used by hackers to exploit weak passwords to penetrate systems and gain unauthorised access to an account. Attacks like this underscore the need to reinforce passwords with multi-factor authentication (MFA) and, ultimately, move beyond passwords to context-aware, smart authentication methods that remove the reliance on human factors.  Read Less
January 31, 2020
Bob Rudis
Chief Data Scientist
Rapid7
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows without the need to give unrestricted access via the use of user-credentials. If a site's API does not.....Read More
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows without the need to give unrestricted access via the use of user-credentials. If a site's API does not provide sufficient functionality these third-party services should work with the primary application — i.e. Social Captain should have worked with Instagram to have whatever functionality they needed baked into the API-proper vs. bypass these safety measures by requiring user-credentials. Hopefully this will be a learning opportunity for other third-party services who still rely on user-credentials for access and instrumentation to services like Twitter, Instagram, or Facebook.  Read Less
January 31, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
There are several concerns with this incident. From the researchers perspective, brute forcing and gaining access to private data is not an acceptable practice. If the researcher had concerns, they should have tried raising it with the airline directly. The airline itself hasn't apparently followed best practices through by not having a well protected system that is not resilient to brute forcing through account lock outs, monitoring, or 2FA. Having unencrypted data on so many passengers.....Read More
There are several concerns with this incident. From the researchers perspective, brute forcing and gaining access to private data is not an acceptable practice. If the researcher had concerns, they should have tried raising it with the airline directly. The airline itself hasn't apparently followed best practices through by not having a well protected system that is not resilient to brute forcing through account lock outs, monitoring, or 2FA. Having unencrypted data on so many passengers exposed can be a big issue. Being able to track peoples movements could lead to them being attractive targets of cyber or traditional criminals who may want to use the data to exploit the victims. Affected passengers should also be wary in the coming weeks of any phishing emails that may claim to be from the airline offering a refund or some other hook to get them to click on a link and compromise them further.  Read Less
January 31, 2020
Darell Long
VP of product management
One Identity
In this instance, Multi Factor Authentication could well have been an important addition to the equation, but in some cases, MFA is not an option. Therefore, ensuring strong passwords, proper entitlements, and the right level of governance are also critical components in achieving the security profile needed to help mitigate these types of risk. Identity Security is the core of any good security strategy. In 2020, we expect to see companies across all industries struggle with the.....Read More
In this instance, Multi Factor Authentication could well have been an important addition to the equation, but in some cases, MFA is not an option. Therefore, ensuring strong passwords, proper entitlements, and the right level of governance are also critical components in achieving the security profile needed to help mitigate these types of risk. Identity Security is the core of any good security strategy. In 2020, we expect to see companies across all industries struggle with the integration of proactive data privacy practices and policies. As companies notify customers following breaches, if it is found that proper data protection practices, such as identity governance and administration and privileged access management are not being implemented, we will see harsher punishments and consequently a rush of companies backtracking and working to implement the right security tools and practices after a breach.  Read Less
January 31, 2020
Hugo Van den Toorn
Manager, Offensive Security
Outpost24
Ignoring the separate discussion of the legality of this ‘ethical’ hack and it’s disclosure policy, this is a typical example of a lack of security. Whenever you are storing data and especially if it involves sensitive personally identifiable information (PII), that data should be classified and protected according to its classification. High valued data, such as PII should either be stored internally or at least protected by multi-factor authentication if it has a valid reason to be.....Read More
Ignoring the separate discussion of the legality of this ‘ethical’ hack and it’s disclosure policy, this is a typical example of a lack of security. Whenever you are storing data and especially if it involves sensitive personally identifiable information (PII), that data should be classified and protected according to its classification. High valued data, such as PII should either be stored internally or at least protected by multi-factor authentication if it has a valid reason to be accessible over the Internet. This data was most likely never intended to be Internet facing, but unfortunately was. This is a typical example of how multiple missing layers of security results in the exposure of data.  Read Less
January 31, 2020
Peter Draper
Technical Director, EMEA
Gurucul
This is another example of lack of basic security controls. Anything that contains customer data should not be "protected" (or not as the case may be) behind a simple, easily guessable password. This does not follow the Spicejet Spokespersons response stating "we [Spicejet] undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level. Some possible measures would be complex, frequently changed password (minimum) .....Read More
This is another example of lack of basic security controls. Anything that contains customer data should not be "protected" (or not as the case may be) behind a simple, easily guessable password. This does not follow the Spicejet Spokespersons response stating "we [Spicejet] undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level. Some possible measures would be complex, frequently changed password (minimum) or better still MFA for access to this customer data. In addition, it would be interesting to know if SpiceJet were even aware of the access attempts. If not then modern security analytics solutions are available to provide the visibility required to identify and mitigate these threats quickly.  Read Less
January 31, 2020
Sam Curry
Chief Security Officer
Cybereason
Ethical hacking is easy to get wrong and hard to do right. In the case of SpiceJet, not much is known about the hacker except the apparent absence of malice and that they went too CERT-IN, although arguably they might have gone straight to SpiceJet. In the end, the concern is less about what this hacker did than about what others might have done or not up until now. SpiceJet needs to be transparent about what they do and don't know has happened around this weak policy beyond fixing it. If.....Read More
Ethical hacking is easy to get wrong and hard to do right. In the case of SpiceJet, not much is known about the hacker except the apparent absence of malice and that they went too CERT-IN, although arguably they might have gone straight to SpiceJet. In the end, the concern is less about what this hacker did than about what others might have done or not up until now. SpiceJet needs to be transparent about what they do and don't know has happened around this weak policy beyond fixing it. If SpiceJet is also serious about customer safety and security and privacy being sacrosanct, they should demonstrate best of breed practices or investment in ramping such up. This is more than lip service. They should invite ethical hacking and put a program in place. You can be a hero or a villain as a company, not a victim. SpiceJet has demonstrated they want to be a hero, and that means leaning in harder and putting money where the company's mouth is or risk being vilified.  Read Less
January 31, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
There are three important lessons to be learned from the SpiceJet breach. First, a proactive approach to security is the most effective way to reduce risk. In this case, the breach has happened, so the milk is spilled already. In an alternate, better history, engineers would have performed threat modeling during the design of the system. Recognising that an attacker who gains access would have unfettered access to information, the design of the system would have included the encryption of the.....Read More
There are three important lessons to be learned from the SpiceJet breach. First, a proactive approach to security is the most effective way to reduce risk. In this case, the breach has happened, so the milk is spilled already. In an alternate, better history, engineers would have performed threat modeling during the design of the system. Recognising that an attacker who gains access would have unfettered access to information, the design of the system would have included the encryption of the data. Second, passwords are always difficult. In this case, setting and enforcing a strong password policy for this system would have made the brute force attack ineffective. In addition, proactive threat modeling would have considered the danger of brute force attacks and designers would put in place security controls such as rate limiting and account lockouts. Finally, this breach demonstrates the importance of incident response. The researcher who discovered the vulnerable system was not able to communicate with SpiceJet, and it was only after CERT-IN got involved that anything happened. Organisations need to know that customers and researchers will try to get in touch about security issues, and they should have a well-defined, easy-to-locate place where such issues can be raised.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.