Airline Customer Data Left Exposed For Months

Uploaded on 2023-10-02 in FREE TO VIEW, BUSINESS-Services-Transport & Travel

The low-cost carrier Canadian Flair Airlines has exposed sensitive customer databases and email addresses for about seven months, increasing the risk of passengers’ personal information, including emails, names, or addresses, being accessed by criminals.

A malicious actor could use names in conjunction with addresses, emails, and phone numbers to commit identity theft by creating accounts on the person’s behalf without their consent. 

The exact amount and full contents of the exposed databases are currently unknown, although at least one subdomain was collecting private usernames, emails, phone numbers, and flight details. Researchers have issued several notifications about the flaw, warning that exposed files contain MySQL database credentials, the carrier’s email account credentials and secret tokens and app keys. 

An essential requirement in web development is to keep crucial .env files secure because they often contain sensitive information that could be used to compromise services or applications, as Cybernews researchers explain. “The publicly hosted .env files contained database and email configuration details. Database configurations revealed that one of the databases was exposed to the Internet, meaning anyone could potentially use these credentials to access sensitive information stored in this database.”

Right now, it is impossible to know if any malicious actors took advantage of the leak, but the public .env files were first observed in August 2022, meaning that they were accessible for almost seven months. 

The Cybernews research team discovered the leak at the beginning of 2023, and it reportedly took a few months of follow-up notifications until the vulnerability was resolved. “Leaks like this can often be a starting point for cyber criminals. Firstly, to research what information their target could store, what technologies and security measures they are using... Second, personal information could be used for phishing, identity thefts and other attacks, targeting individuals.” 

In this case, the database was hosted publicly, meaning that malicious actors could have accessed user information without exploiting any vulnerabilities.

Access to email credentials would allow an attacker to log in and send emails from compromised addresses, which is dangerous as it could be used to launch phishing attacks from official Flair Airlines email addresses, easily tricking victims into trusting them.

Security Affairs:    Aviation Source:     CBC:      TEISS:       I-HLS:      Cybernews:   

You Might Also Read:

Scandinavian Airline App Compromised:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Rapid Rise In DNS Attacks Demands New Approaches To Cyber Defense
British Royal Family's Website Targeted  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

QASymphony

QASymphony

QASymphony software testing and QA tools help companies create better software by improving speed, efficiency and collaboration during the testing lifecycle.

Trust Guard

Trust Guard

Trust Guard services provide complete security for your website.

ISC2

ISC2

ISC2 is an international, non-profit membership association for information security leaders. Our information security certifications are recognized as the global standard for excellence.

National Defense Industry Association (NDIA)

National Defense Industry Association (NDIA)

The National Defense Industrial Association Cyber Division contributes to US national security by promoting interaction between the cyber defense industry, government and military.

Cybonet

Cybonet

Cybonet is committed to empowering organizations of all sizes with the tools and capabilities to detect and engage cyber security threats.

Living Security

Living Security

Living Security specializes in metric driven and engaging security awareness solutions that reduce risk by increasing security culture and changing employee behaviour.

CICRA

CICRA

CICRA is Sri Lanka's pioneering cyber security training and consultancy provider.

Augusta HiTech

Augusta HiTech

Augusta Hitech is a focused product development, software services and technology consulting company. Our Vision is to become the most socially impactful and innovative technology company in the world

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

CNS Group

CNS Group

CNS Group provides industry leading cyber security though managed security services, penetration testing, consulting and compliance.

NetSPI

NetSPI

NetSPI is an information security penetration testing and vulnerability assessment management advisory firm.

Hong Kong Broadband Network (HKBN)

Hong Kong Broadband Network (HKBN)

HKBN are a leading integrated telecom and technology solutions provider that offers a comprehensive range of premier ICT services to both the enterprise and residential markets.

Transparity Cyber

Transparity Cyber

Transparity Cyber is dedicated to cybersecurity. As part of the Transparity Group we’re an established name in the Microsoft Cloud landscape, with a focus on cybersecurity excellence.

Performance Technologies

Performance Technologies

As a leading IT Solutions Provider in Greece, Performance Technologies delivers reliable, long life solutions, ensuring continuous availability of business-critical services and information.

Exacom

Exacom

Exacom is a leading provider of multimedia logging/recording solutions across public safety, government, DoD, energy, utilities, transportation, and security applications.

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.