Personal information such as name, gender, email address and phone numbers of some Akasa Air passengers has been leaked to “unauthorised individuals”, the airline stated on Sunday. India’s newest carrier said it self-reported this incident to Indian Computer Emergency Response Team CERT-In, which is the government-authorised nodal agency tasked to deal with matters of this nature.
However, Akasa Air asserted that there was no “intentional hacking attempt, but that the situation was reported by a research expert through a journalist for which we are grateful”. The cyber security researcher concerned was Mumbai-based Ashutosh Barot, who works as Deputy Manager at a top international consulting firm.
Barot told Business Standard he found the leak during his free time on August 7, the day Akasa Air operated its first commercial flight. He said he attempted to get in touch with Akasa Air on the next day itself, by sending a direct message on Twitter.
“The airline gave me its generic email ID. I told them to get me in touch with the security in-charge as the matter concerns leakage of sensitive information of users of the airline's website,” he noted.
After receiving no response from the airline, Barot told a journalist, who then got in touch with Akasa Air.
“The airline was then informed in detail about the vulnerability on their website at around August 17. Akasa Air resolved the issue around 4-5 days back,” Barot said.
On August 7, Akasa Air had launched commercial flight operations with its first service on the Mumbai-Ahmedabad route, via the B737 Max aircraft. On Saturday and Sunday, the airline sent emails to passengers — who had submitted their details on its website while booking tickets — to inform them about the leak.
“A temporary technical configuration error related to our login and sign-up service was reported on August 25. As a result, some Akasa Air registered user information limited to names, gender, email addresses and phone numbers may have been viewed by unauthorised individuals,” the airline’s email noted.
Besides the above details, no travel-related information, travel records or payment information was compromised, it clarified.
“On being made aware of the incident, we immediately stopped this unauthorised access by completely shutting down the associated functional elements of our system. After having added additional controls to address this situation, we have resumed our login and sign-up services,” it mentioned.
The airline — which plans to operate 150 weekly flights by the end of September — said it has undertaken additional reviews to ensure that the security of all its systems is enhanced further.
“We wanted to make you aware of this situation and urge you to be vigilant against possible phishing attempts, since your information may have been accessed as a result of this incident,” it told passengers.
The airline’s key investor Rakesh Jhunjhunwala passed away on August 14. Three days later, its chief executive officer (CEO) Vinay Dube said the carrier is well-capitalised and has financial means to place an order for more planes.
In November last year, Akasa Air had ordered 72 B737 Max planes from Boeing. The US-based aircraft manufacturer has delivered three of the 72 planes till date.
In a statement to media on Sunday evening, the airline’s Chief Information Officer Anand Srinivasan said Akasa Air will “continue to maintain” its “robust” security protocols and wherever applicable, it will engage with partners, researchers and security experts to strengthen its systems.