Airline Customer Data Left Exposed For Months

Uploaded on 2023-10-02 in FREE TO VIEW, BUSINESS-Services-Transport & Travel

The low-cost carrier Canadian Flair Airlines has exposed sensitive customer databases and email addresses for about seven months, increasing the risk of passengers’ personal information, including emails, names, or addresses, being accessed by criminals.

A malicious actor could use names in conjunction with addresses, emails, and phone numbers to commit identity theft by creating accounts on the person’s behalf without their consent. 

The exact amount and full contents of the exposed databases are currently unknown, although at least one subdomain was collecting private usernames, emails, phone numbers, and flight details. Researchers have issued several notifications about the flaw, warning that exposed files contain MySQL database credentials, the carrier’s email account credentials and secret tokens and app keys. 

An essential requirement in web development is to keep crucial .env files secure because they often contain sensitive information that could be used to compromise services or applications, as Cybernews researchers explain. “The publicly hosted .env files contained database and email configuration details. Database configurations revealed that one of the databases was exposed to the Internet, meaning anyone could potentially use these credentials to access sensitive information stored in this database.”

Right now, it is impossible to know if any malicious actors took advantage of the leak, but the public .env files were first observed in August 2022, meaning that they were accessible for almost seven months. 

The Cybernews research team discovered the leak at the beginning of 2023, and it reportedly took a few months of follow-up notifications until the vulnerability was resolved. “Leaks like this can often be a starting point for cyber criminals. Firstly, to research what information their target could store, what technologies and security measures they are using... Second, personal information could be used for phishing, identity thefts and other attacks, targeting individuals.” 

In this case, the database was hosted publicly, meaning that malicious actors could have accessed user information without exploiting any vulnerabilities.

Access to email credentials would allow an attacker to log in and send emails from compromised addresses, which is dangerous as it could be used to launch phishing attacks from official Flair Airlines email addresses, easily tricking victims into trusting them.

Security Affairs:    Aviation Source:     CBC:      TEISS:       I-HLS:      Cybernews:   

You Might Also Read:

Scandinavian Airline App Compromised:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Rapid Rise In DNS Attacks Demands New Approaches To Cyber Defense
British Royal Family's Website Targeted  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Security Guru

IT Security Guru

IT Security Gurus publish daily breaking news. interviews with the key thinkers in IT security, videos and the top 10 stories as picked by our Editor.

Team Cymru Research NFP

Team Cymru Research NFP

Team Cymru Research is a group of technologists passionate about making the Internet more secure and dedicated to that goal.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

ClearDATA

ClearDATA

The ClearDATA Managed Cloud protects sensitive healthcare data using purpose-built DevOps automation, compliance and security safeguards, and healthcare expertise.

Fluency Security

Fluency Security

Fluency is the only Security Analytics & Orchestration (SAO) solution that automates correlation, detection, validation and ongoing tracking.

Cybersecurity Advisors Network (CyAN)

Cybersecurity Advisors Network (CyAN)

CyAN provides a not-for-profit platform that helps private and public organisations as well as governments to identify trusted advisors in the area of Cyber Security and Cyber Crime.

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

Information and Communication Technology Authority (ICT Authority) - Kenya

Information and Communication Technology Authority (ICT Authority) - Kenya

The ICT Authority is responsible for enforcing ICT standards in Government and ensuring information security.

BwCIRT

BwCIRT

BwCIRT is the Computer Incident Response Team (CIRT) for Botswana and provides an official point of contact for dealing with computer security incidents.

Measured Insurance

Measured Insurance

Measured Insurance are bridging the gap between technology and Insurance using AI-Powered analytics that track clients’ exposure in real time to create smarter insurance products.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

DeNexus

DeNexus

DeNexus is the leading provider of cyber risk modeling for industrial networks. Our Mission is to build the Global Standard for Industrial Cyber Risk Quantification.

SecureChain AI

SecureChain AI

SecureChain are combining blockchain and AI technology to create a smarter blockchain platform especially in terms of security.

Omnex

Omnex

Omnex provides consulting and training services in Quality, Environmental, and Health and Safety standards-based management systems including Automotive Cybersecurity.