India’s Akasa Air exposed sensitive records of thousands of customers

Akasa Air, India’s newly launched airline that began operations earlier this month, exposed the personal data of thousands of its customers because of a technical glitch that affected its login and sign-up service.

The exposed data, discovered by cybersecurity researcher Ashutosh Barot, included full names, gender, email addresses and phone numbers of customers signing up and logging in on the Akasa Air website.

The researcher found an HTTP request disclosing the data minutes after looking at Akasa Air’s website on its inaugural day on August 7. He had initially tried to communicate with the security team at the Mumbai-based airline directly but did not find a direct contact.

“I reached out to the airline via their official Twitter account, asking them for an email ID to report the issue. They gave me the info@akasa email ID to which I didn’t share the vulnerability details because it might be handled by support staff or third-party vendors. So, I emailed them again and asked [the airline] to provide [the] email address of someone from their security team. I received no further communication from Akasa,” the researcher said.

After not getting a response from the airline on how he could connect with the security team, the researcher informed TechCrunch about the issue.

Akasa Air quickly responded when we reached out and acknowledged that the issue had put 34,533 unique customer records at risk. The airline also said the exposed data did not include travel-related information or payment records.

On being made aware of the incident, Akasa Air shut down its sign-up service. The airline also said that it added additional controls before resuming its service to the general public.

Additionally, the airline told TechCrunch that it carried additional reviews to ensure the security of all its systems.

Akasa Air reported the incident to India’s nodal cybersecurity agency CERT-In and notified its affected users through a statement that it also made public on Sunday. It advised users “to be conscious of possible phishing attempts” due to the data exposure. Further, it confirmed to TechCrunch that it did not see an “untoward spike in access” to the data.

“At Akasa Air, system security and protection of customer information is paramount, and our focus is to always provide a secure and reliable customer experience. While extensive protocols are in place to prevent incidents of such nature, we have undertaken additional measures to ensure that the security of all our systems is even further enhanced. We will continue to maintain our robust security protocols, engaging wherever applicable, with partners, researchers, and security experts from whom we can benefit to strengthen our systems,” Anand Srinivasan, co-founder and chief information officer at Akasa Air, said in a prepared statement on the matter.

“I am glad the airline fixed the issue on short notice and reported it to CERT-In as well as informed its customers about the incident, which is an exemplary step,” the researcher said.

Incidents of data exposure and leaks are becoming common in India, which withdrew the last iteration of its data protection bill earlier this month. A number of domestic companies in the country also do not have dedicated programs to award and incentivize researchers helping to find flaws in their systems.