ANI reports:
India’s privately-owned airline SpiceJet has denied the data breach reports of about a million passengers.
The airline also said that there was no security lapse in its systems.
“There was no data breach in any of SpiceJet’s servers. At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level,” a SpiceJet spokesperson said.
According to TechCrunch, a security researcher “gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password” and described their actions as ethical hacking.
Read more on Business Standard.
Ok, I don’t consider brute-force attacks on passwords as ethical hacking, but that’s just my opinion. What I do want to highlight here is that although SpiceJet denied any breach, re-read what TechCrunch reported:
The researcher later alerted CERT-In, a government-run agency in India that handles cybersecurity threats in the nation. The agency confirmed the security lapse, and alerted SpiceJet, which has since taken the necessary measures to protect the database.
So SpiceJet is denying what CERT-In confirmed? Or have they since changed their statement? I can find no statement on the airline’s website.