Head of Trust & Safety at Cloudflare, Justin Paine, has announced that he uncovered a data leak of the airline during a routine search for “open, exposed, or vulnerable Amazon S3 buckets”.
An Amazon Simple Storage Service (Amazon S3) bucket is a public cloud storage resource similar to file folders. It stores objects consisting of data and descriptive metadata.
Paine said on September 6, he discovered and exposed bucket, containing a large number of CSV files, also a data storing tool. Paine stated that he later traced the ownership to Arik Air.
“A total of 994 CSV files were found in the bucket, with some of the files containing more than 80,000 rows of data while other files contained over 46,000 rows of data. Some files contained 3 rows of data,” he wrote.
“A further investigation revealed that sensitive information that leaked included customer names, email addresses, internet protocol addresses (IPs) registered at point of purchasing tickets, the hashes of credit cards used and what appears to be the first six digits and last four digits of the credit card used for purchase.”
Explaining the implication of this breach, Paine said: “A malicious person could potentially use this sensitive information to target one of these customers of Arik Air for identify theft. With the information included in this leak a fraudster would have plenty of useful data points.
“It is possible to map out all flights this user has taken in the 3.5 months contained by this leaked data.”
After several attempts to notify Arik Air of the security breach, Paine said he only got a response over two weeks later.
After another check on October 10, Paine said the leaked bucket had been “properly secured.”
Adebanji Ola, spokesman of the airline, told TheCable a statement would be issued on the development.