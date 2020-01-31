Experts On Data Breach At Indian Airline SpiceJet Affects 1.2 Million Passengers

It has been reported that SpiceJet, one of India’s largest privately owned airlines, has acknowledged a data breach involving the details of over a million of its passengers. The database included a rolling month’s worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.

Bob Rudis, Chief Data Scientist,  Rapid7
January 31, 2020
Social Captain should have worked with Instagram to have whatever functionality they needed baked into the API-proper vs.
Individuals should think twice before letting a third-party site, service, or application use actual credentials for things like Twitter, Instagram, Facebook (et al) since such a requirement inherently means those credentials will be stored in a way to be reused (i.e. the passwords will not be hashed). Furthermore, the OAuth standards were developed to enable support for third-party workflows with ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
January 31, 2020
If the researcher had concerns, they should have tried raising it with the airline directly.
There are several concerns with this incident. From the researchers perspective, brute forcing and gaining access to private data is not an acceptable practice. If the researcher had concerns, they should have tried raising it with the airline directly. The airline itself hasn't apparently followed best practices through by not having a well protected system that is not resilient to brute forcin ....
[Read More >>]
Darell Long, VP of product management ,  One Identity
January 31, 2020
In 2020, we expect to see companies across all industries struggle with the integration of proactive data privacy practices and policies.
In this instance, Multi Factor Authentication could well have been an important addition to the equation, but in some cases, MFA is not an option. Therefore, ensuring strong passwords, proper entitlements, and the right level of governance are also critical components in achieving the security profile needed to help mitigate these types of risk. Identity Security is the core of any good security ....
[Read More >>]
Hugo Van den Toorn, Manager, Offensive Security ,  Outpost24
January 31, 2020
This data was most likely never intended to be Internet facing, but unfortunately was.
Ignoring the separate discussion of the legality of this ‘ethical’ hack and it’s disclosure policy, this is a typical example of a lack of security. Whenever you are storing data and especially if it involves sensitive personally identifiable information (PII), that data should be classified and protected according to its classification. High valued data, such as PII should either be stored ....
[Read More >>]
Peter Draper, Technical Director, EMEA,  Gurucul
January 31, 2020
In addition, it would be interesting to know if SpiceJet were even aware of the access attempts.
This is another example of lack of basic security controls. Anything that contains customer data should not be "protected" (or not as the case may be) behind a simple, easily guessable password. This does not follow the Spicejet Spokespersons response stating "we [Spicejet] undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highes ....
[Read More >>]
Elle Lathrop, Managing Director, EMEA ,  OneLogin
January 31, 2020
Passwords continue to be the weakest link and brute-force attacks are a common method used by hackers.
It's extremely concerning that a company the size of Spacejet is naive enough to rely on what's been reported as an 'easily-guessable' password, prone to brute-force attacks. Passwords continue to be the weakest link and brute-force attacks are a common method used by hackers to exploit weak passwords to penetrate systems and gain unauthorised access to an account. Attacks like this underscore the ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
January 31, 2020
This is more than lip service. They should invite ethical hacking and put a program in place.
Ethical hacking is easy to get wrong and hard to do right. In the case of SpiceJet, not much is known about the hacker except the apparent absence of malice and that they went too CERT-IN, although arguably they might have gone straight to SpiceJet. In the end, the concern is less about what this hacker did than about what others might have done or not up until now. SpiceJet needs to be transparen ....
[Read More >>]
Jonathan Knudsen, Senior Security Strategist ,  Synopsys
January 31, 2020
Organisations need to know that customers and researchers will try to get in touch about security issues.
There are three important lessons to be learned from the SpiceJet breach. First, a proactive approach to security is the most effective way to reduce risk. In this case, the breach has happened, so the milk is spilled already. In an alternate, better history, engineers would have performed threat modeling during the design of the system. Recognising that an attacker who gains access would have unf ....
[Read More >>]

