It has been reported that SpiceJet, one of India’s largest privately owned airlines, has acknowledged a data breach involving the details of over a million of its passengers. The database included a rolling month’s worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.
Data Breach at Indian airline SpiceJet affects 1.2 million passengers – https://t.co/9pLmW1ztmL – SpiceJet, one of India’s largest privately owned airlines, has acknowledged a data breach involving the details of over a million of its passengers pic.twitter.com/XfiS6NdmO6
— Airline Routes & Ground Services (@ARGS_EVA) January 31, 2020
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows without the need to give unrestricted access via the use of user-credentials. If a site\’s API does not provide sufficient functionality these third-party services should work with the primary application — i.e. Social Captain should have worked with Instagram to have whatever functionality they needed baked into the API-proper vs. bypass these safety measures by requiring user-credentials. Hopefully this will be a learning opportunity for other third-party services who still rely on user-credentials for access and instrumentation to services like Twitter, Instagram, or Facebook.
There are several concerns with this incident. From the researchers perspective, brute forcing and gaining access to private data is not an acceptable practice. If the researcher had concerns, they should have tried raising it with the airline directly.
The airline itself hasn\’t apparently followed best practices through by not having a well protected system that is not resilient to brute forcing through account lock outs, monitoring, or 2FA.
Having unencrypted data on so many passengers exposed can be a big issue. Being able to track peoples movements could lead to them being attractive targets of cyber or traditional criminals who may want to use the data to exploit the victims. Affected passengers should also be wary in the coming weeks of any phishing emails that may claim to be from the airline offering a refund or some other hook to get them to click on a link and compromise them further.
In this instance, Multi Factor Authentication could well have been an important addition to the equation, but in some cases, MFA is not an option. Therefore, ensuring strong passwords, proper entitlements, and the right level of governance are also critical components in achieving the security profile needed to help mitigate these types of risk. Identity Security is the core of any good security strategy.
In 2020, we expect to see companies across all industries struggle with the integration of proactive data privacy practices and policies. As companies notify customers following breaches, if it is found that proper data protection practices, such as identity governance and administration and privileged access management are not being implemented, we will see harsher punishments and consequently a rush of companies backtracking and working to implement the right security tools and practices after a breach.
Ignoring the separate discussion of the legality of this ‘ethical’ hack and it’s disclosure policy, this is a typical example of a lack of security. Whenever you are storing data and especially if it involves sensitive personally identifiable information (PII), that data should be classified and protected according to its classification. High valued data, such as PII should either be stored internally or at least protected by multi-factor authentication if it has a valid reason to be accessible over the Internet. This data was most likely never intended to be Internet facing, but unfortunately was. This is a typical example of how multiple missing layers of security results in the exposure of data.
This is another example of lack of basic security controls. Anything that contains customer data should not be \”protected\” (or not as the case may be) behind a simple, easily guessable password. This does not follow the Spicejet Spokespersons response stating \”we [Spicejet] undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.
Some possible measures would be complex, frequently changed password (minimum) or better still MFA for access to this customer data. In addition, it would be interesting to know if SpiceJet were even aware of the access attempts. If not then modern security analytics solutions are available to provide the visibility required to identify and mitigate these threats quickly.