Data Breach at Indian airline SpiceJet affects 1.2 million passengers

posted on 31st January 2020 by Eddie Saunders
Data Breach at Indian airline SpiceJet affects 1.2 million passengers

SpiceJet, one of India’s largest privately owned airlines, has acknowledged a data breach involving the details of over a million of its passengers. The database included flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.

Lisa Baergen director at NuData Security, a Mastercard company comments: “Data in the wrong hands – especially personal information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach.

More recently, we’ve seen a change in the value of stolen data as more and more institutions are implementing behavioural user authentication solutions that render stolen data valueless. My advice for companies is to augment their current authentication framework so they don’t rely solely on username and passwords, and deploy technology to identify their legitimate users despite the constant stream of consumer information exposed through data leaks and stolen credentials. Many online companies are turning to technologies to identify customers by their behaviours and biometrics, instead of relying solely on static user credentials, and are preventing the account takeover attacks that come from such breaches.”

Jonathan Knudsen, senior security strategist at Synopsys: “There are three important lessons to be learned from the SpiceJet breach. First, a proactive approach to security is the most effective way to reduce risk. In this case, the breach has happened, so the milk is spilled already. In an alternate, better history, engineers would have performed threat modeling during the design of the system. Recognising that an attacker who gains access would have unfettered access to information, the design of the system would have included the encryption of the data.

Second, passwords are always difficult. In this case, setting and enforcing a strong password policy for this system would have made the brute force attack ineffective. In addition, proactive threat modeling would have considered the danger of brute force attacks and designers would put in place security controls such as rate limiting and account lockouts.

Finally, this breach demonstrates the importance of incident response. The researcher who discovered the vulnerable system was not able to communicate with SpiceJet, and it was only after CERT-IN got involved that anything happened. Organisations need to know that customers and researchers will try to get in touch about security issues, and they should have a well-defined, easy-to-locate place where such issues can be raised.”

Sam Curry, Chief Information Security Officer at Cybereason: “Ethical hacking is easy to get wrong and hard to do right. In the case of SpiceJet, not much is known about the hacker except the apparent absence of malice and that they went too CERT-IN, although arguably they might have gone straight to SpiceJet. In the end, the concern is less about what this hacker did than about what others might have done or not up until now. SpiceJet needs to be transparent about what they do and don’t know has happened around this weak policy beyond fixing it. If SpiceJet is also serious about customer safety and security and privacy being sacrosanct, they should demonstrate best of breed practices or investment in ramping such up. This is more than lip service. They should invite ethical hacking and put a program in place. You can be a hero or a villain as a company, not a victim. SpiceJet has demonstrated they want to be a hero, and that means leaning in harder and putting money where the company’s mouth is or risk being vilified.”

Elle Lathrop, managing director, EMEA at OneLogin: “It’s extremely concerning that a company the size of Spacejet is naive enough to rely on what’s been reported as an ‘easily-guessable’ password, prone to brute-force attacks. Passwords continue to be the weakest link and brute-force attacks are a common method used by hackers to exploit weak passwords to penetrate systems and gain unauthorised access to an account. Attacks like this underscore the need to reinforce passwords with multi-factor authentication (MFA) and, ultimately, move beyond passwords to context-aware, smart authentication methods that remove the reliance on human factors.”

Peter Draper, technical director EMEA at Gurucul: “This is another example of lack of basic security controls.  Anything that contains customer data should not be “protected” (or not as the case may be) behind a simple, easily guessable password.  This does not follow the Spicejet Spokespersons response stating “we [Spicejet] undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.” 

Some possible measures would be complex, frequently changed password (minimum) or better still MFA for access to this customer data. In addition, it would be interesting to know if SpiceJet were even aware of the access attempts. If not then modern security analytics solutions are available to provide the visibility required to identify and mitigate these threats quickly.”

Hugo van den Toorn, manager of offensive security at Outpost24: “Ignoring the separate discussion of the legality of this ‘ethical’ hack and it’s disclosure policy, this is a typical example of a lack of security. Whenever you are storing data and especially if it involves sensitive personally identifiable information (PII), that data should be classified and protected according to its classification. High valued data, such as PII should either be stored internally or at least protected by multi-factor authentication if it has a valid reason to be accessible over the Internet. This data was most likely never intended to be Internet facing, but unfortunately was. This is a typical example of how multiple missing layers of security results in the exposure of data.”

Darrell Long, VP of product management at One Identity: “In this instance, Multi Factor Authentication  could well have been an important addition to the equation, but in some cases, MFA is not an option. Therefore, ensuring strong passwords, proper entitlements, and the right level of governance are also critical components in achieving the security profile needed to help mitigate these types of risk.  Identity Security is the core of any good security strategy.

In 2020, we expect to see companies across all industries struggle with the integration of proactive data privacy practices and policies. As companies notify customers following breaches, if it is found that proper data protection practices, such as identity governance and administration and privileged access management are not being implemented, we will see harsher punishments and consequently a rush of companies backtracking and working to implement the right security tools and practices after a breach.”