India’s new startup Akasa Air has suffered a security breach associated with passenger personal information, with unauthorized individuals gaining access to the carrier’s passenger database. The carrier self-reported the incident involving the unauthorized disclosure of personal data about the name, gender, email address, and phone number of its registered users to the Indian Computer Emergency Response Team (CERT-In).
On August 25, the carrier was made aware that there was a temporary technical glitch related to its login and sign-up service, leading to the leakage of personal information of its passengers to the hackers. Taking advantage of the airline’s vulnerable security system, hackers gained access to registered user information limited to names, gender, email addresses, and phone numbers. Other than personal details, Akasa Air confirmed that no confidential details of passengers related to their travel records or payment information were compromised or accessed by unauthorized users.
A cyber security researcher named Ashutosh Barot reported the data breach situation through a journalist to Akasa Air. Upon uncovering the passenger data theft, the airline shut down its system’s associated functional elements to end this unauthorized access. Later on, Akasa Air applied additional control measures to ensure a secure system before resuming its login and sign-up services on the official website for customer flight bookings.
Self-reporting to CERT-In
After being informed in detail about the vulnerability on its website, Akasa Air self-reported the security breach involving the passenger database to CERT-In, a government office within the Ministry of Electronics and Information Technology to deal with cyber security threats. Despite sharing details with the nodal agency, Akasa Air asserted that there was no ‘intentional hacking attempt’ based on its records. The Indian Computer Emergency Response Team CERT-In is likely to conduct a thorough investigation regarding the security breach of Akasa Air’s user information.
Informing the affected passengers
Apart from reporting to the CERT-In, as a part of its commitment to be always transparent, Akasa Air also notified the affected passengers about the leak through emails on Saturday and Sunday. The email was intended to create awareness among users who had shared their information on the website during ticket bookings and urge them to be vigilant against possible phishing attempts. The airline also apologized for the inconvenience caused to passengers as a result of personal information leakage. The breach of security leading to unauthorized access to personally identifiable information can culminate in tangible losses, identity threat, fraud, etc.
The cyber security research expert Ashutosh Barot informed the carrier on the matter concerning the leakage of sensitive information of users of the airline’s website through a journalist. The carrier thanked the research expert for reporting the data leak of its passenger database.
What next?
Akasa Air’s Co-Founder and Chief Information Officer, Anand Srinivasan, ensured that the carrier had undertaken additional measures to further enhance the security of its system while keeping extensive protocols in place to prevent such incidents. He stated that the system security and protection of customer information were paramount, and the carrier would continue to maintain robust security protocols to strengthen its website system.
Akasa Air is India’s newest airline that commenced its commercial operations on August 7 with an inaugural flight on the Mumbai-Ahmedabad route. The carrier has pursued rapid expansion plans with the launch of over 150 weekly flights by the end of September. Backed by Indian billionaire Rakesh Jhunjhunwala, Akasa Air currently operates 3 Boeing 737 Max aircraft and plans to induct new aircraft every two weeks until all 72 aircraft orders have been fulfilled.
Cybersecurity attacks on other Indian carriers
In recent times, cyber-attacks have become a growing threat affecting many airline passengers across India. Akasa Air is not the first victim of cybersecurity problems among other Indian airlines. Earlier on May 2022, SpiceJet reported an attempted ransomware attack affecting its IT system. As a result of the attack, several passengers were stranded due to delays in flight departures. The carrier’s IT team rectified the situation and managed to thwart the attack, and the flight operational status went back to normal.
In 2021, Air India suffered a cyberattack on the servers that affected its more than 4.5 million customers, compromising their personal details, including passport, credit card details, birth dates, names, frequent flier data, etc. Subjected to the massive data breach for reportedly 22 days, the carrier somehow secured the compromised servers.