New Indian airline firm exposes sensitive data of thousands of customers

akasa air exposes sensitive data

India’s newly launched airline, Akasa Air, which started operations earlier this month, exposed the personal data of thousands of its customers via a technical glitch that affected its login and sign-up service.

Cybersecurity researcher Ashutosh Barot discovered the exposed data, which included gender, full names, phone numbers, and email addresses of customers signing up and logging in on the Akasa Air website.

The researcher identified an HTTP request disclosing the data minutes after looking at Akasa Air’s website on its inaugural day on 7 August. Akasa Air responded after much delay and acknowledged that the issue had put 34,553 unique customer records at risk. The fledgling airline said the exposed data did not include travel-related information or payment records.

Akasa Air reported the incidents to India’s nodal cybersecurity agency CERT-In and informed its affected users through a statement that it also made public on 28 August 2022. The airline advised users to be conscious of possible phishing attempts due to the exposed data.

The co-founder and Chief Information Officer at Akasa Air, Anand Srinivasan, said in a statement that system security and reliable customer experience were paramount for the airlines.

Incidents of data leaks and exposure are becoming frequent in India. The Indian government withdrew the last iteration of its data protection bill earlier in August 2022. Many domestic companies in the nation also do not have dedicated programs to award and incentive researchers helping to find flaws in their systems.