Customer data may not be secure with Arik Air

Customer data belonging to Arik Air may have leaked. An information technology expert who goes by the identity xxdesmus disclosed this in a post as well as a tweet from his handle. He said the data was found during his normal course of scanning for open/exposed/vulnerable Amazon S3 buckets, the portal nairametrics.com writes.

From the timeline he provided, it took the airline about a month to respond to his emails. He first noticed the leak on the 6th of September 2018 and notified the airline same day. The carrier finally replied on the 17th of September 2018, of which he was asked to resend an email to another email address provided. Upon sending an email to the provided email address, he was told they will review the situation and never heard from Arik Air again.

The data also show travel patterns of individual passenger.

The ICT professional also gave hints on the data that leaked. They include 994 CSV files. Some of these CSV files contain in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases, files only contain 3 rows of data.

Here’s a sampling of the data points that were leaked: customer email address, customer name and IP at the time of purchase, a hash of the customer’s credit card, last 4 and first 6 digits of the credit card used. Also a unique device fingerprint (presumably the user’s mobile or desktop device?), type of currency used, payment card type, business name related to the purchase, amount and date of purchase and country of origin of the purchase.

While the data clearly belongs to Arik Air, the ICT professional, however, stated that the leak may not be directly from the airline, but from one of its payment processors.

“it’s not entirely clear who the owner of this data is as arik air didn’t reply with any further clarification or details. that being said it certainly seems likely to be a bucket controlled by arik air, or one of their immediate partners/processors.”

The data could fall into the hands of fraudsters, who might make transactions on the cards.

 

 

 

 

l.12-.057c.834-.407 1.663-.812 2.53-1.211a42.414 42.414 0 0 1 3.345-1.374c2.478-.867 5.078-1.427 7.788-1.427 2.715 0 5.318.56 7.786 1.427z" transform="translate(-128 -243)"/>