Airline Customer Data Left Exposed For Months

Uploaded on 2023-10-02 in FREE TO VIEW, BUSINESS-Services-Transport & Travel

The low-cost carrier Canadian Flair Airlines has exposed sensitive customer databases and email addresses for about seven months, increasing the risk of passengers’ personal information, including emails, names, or addresses, being accessed by criminals.

A malicious actor could use names in conjunction with addresses, emails, and phone numbers to commit identity theft by creating accounts on the person’s behalf without their consent. 

The exact amount and full contents of the exposed databases are currently unknown, although at least one subdomain was collecting private usernames, emails, phone numbers, and flight details. Researchers have issued several notifications about the flaw, warning that exposed files contain MySQL database credentials, the carrier’s email account credentials and secret tokens and app keys. 

An essential requirement in web development is to keep crucial .env files secure because they often contain sensitive information that could be used to compromise services or applications, as Cybernews researchers explain. “The publicly hosted .env files contained database and email configuration details. Database configurations revealed that one of the databases was exposed to the Internet, meaning anyone could potentially use these credentials to access sensitive information stored in this database.”

Right now, it is impossible to know if any malicious actors took advantage of the leak, but the public .env files were first observed in August 2022, meaning that they were accessible for almost seven months. 

The Cybernews research team discovered the leak at the beginning of 2023, and it reportedly took a few months of follow-up notifications until the vulnerability was resolved. “Leaks like this can often be a starting point for cyber criminals. Firstly, to research what information their target could store, what technologies and security measures they are using... Second, personal information could be used for phishing, identity thefts and other attacks, targeting individuals.” 

In this case, the database was hosted publicly, meaning that malicious actors could have accessed user information without exploiting any vulnerabilities.

Access to email credentials would allow an attacker to log in and send emails from compromised addresses, which is dangerous as it could be used to launch phishing attacks from official Flair Airlines email addresses, easily tricking victims into trusting them.

Security Affairs:    Aviation Source:     CBC:      TEISS:       I-HLS:      Cybernews:   

You Might Also Read:

Scandinavian Airline App Compromised:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Rapid Rise In DNS Attacks Demands New Approaches To Cyber Defense
British Royal Family's Website Targeted  »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CERT-SE

CERT-SE

CERT-SE is the national and governmental Computer Security Incident Response Team of Sweden.

SIGA

SIGA

SIGA provides cyber security solutions for Industrial Control Systems SCADA systems used in critical infrastructures and industrial processes.

Silensec

Silensec

Silensec is a management consulting, technology services and training company specialized in information security.

Center for Cyber & Homeland Security (CCHS)

Center for Cyber & Homeland Security (CCHS)

The Center for Cyber and Homeland Security at Auburn University is a nonpartisan think tank that works to develop innovative strategies to address current and future threats to the United States.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Kainos

Kainos

Kainos is a leading provider of Digital Services and Platforms. Our services include Digital Transformation, Cyber Security, Cloud, AI, IoT and more.

UK Cyber Security Council (UKCSC)

UK Cyber Security Council (UKCSC)

The role of The UK Cyber Security Council is to champion the cybersecurity profession across the UK, provide representation for the industry, accelerate awareness and promote excellence.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

Cloudsec Asia

Cloudsec Asia

Cloudsec Asia is Thailand's top-ranked cybersecurity consultant company. We offers security services to ensure that all your IT assets are reliable, accessible, and secure.

Xoriant

Xoriant

Xoriant is a technology leader and execution partner throughout the Build, Run and Transform lifecycle for companies that create and use technology products.

Hook Security

Hook Security

Setting a new standard in security awareness. Hook Security is a people-first company that uses psychological security training to help companies create security-aware culture.

HIFENCE

HIFENCE

HIFENCE delivers cybersecurity and networking services that make your company safer and more secure. That’s all we do, so you can concentrate on all the things that you do best.

coc00n

coc00n

coc00n secures the devices of high-value and high-interest individuals against cyber attacks.

Mindcore Technologies

Mindcore Technologies

Mindcore provide cyber security services, managed IT services and IT consulting services to businesses in NJ, FL, and throughout the United States.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.

Foghorn Consulting

Foghorn Consulting

Foghorn can analyze your cloud to enhance performance and security, while reducing costs. Based on AWS’ 6 Pillars, our AWS WAFR Certified Engineers Will Identify Areas of Improvement.