Akasa Air suffers data breach, passengers' personal information leaked

Akasa Air, India’s newest airline that started operations less than a month ago, suffered a data breach. The airline stated on Sunday that personal information of some passengers such as name, gender, email address and phone numbers has been leaked to “unauthorised individuals”.  

Akasa Air reported the incident to Indian Computer Emergency Response Team (CERT-In), the government-authorised nodal agency that deals with such matters.

On August 7, the airlines had launched commercial flight operations with its first service on the Mumbai-Ahmedabad route, via the B737 Max aircraft. On Saturday and Sunday, the airline sent emails to passengers to inform them about the phishing attack.

In a statement on Sunday evening, the airline informed its passengers over email, “A temporary technical configuration error related to our login and sign-up service was reported on August 25. As a result, some Akasa Air registered user information limited to names, gender, email addresses and phone numbers may have been viewed by unauthorised individuals." It further clarified that there was "no intentional hacking attempt" but has advised users to be conscious of possible phishing attempts.

“On being made aware of the incident, we immediately stopped this unauthorised access by completely shutting down the associated functional elements of our system. After having added additional controls to address this situation, we have resumed our login and sign-up services,” it mentioned.

The airlines' Chief Information Officer Anand Srinivasan further assured that Akasa Air will “continue to maintain” its “robust” security protocols and wherever applicable, it will engage with partners, researchers and security experts to strengthen its systems.

The airline earlier said, it plans to operate 150 weekly flights by the end of September. On August 14, it’s key investor and stock trader Rakesh Jhunjhunwala passed away, even though the company’s CEO Vinay Dube said that the carrier is well-capitalised. It has undertaken additional reviews to ensure that the security of all its systems is enhanced further. 

In recent years, cyber-attacks on every industry, especially, the aviation industry has been rampant, with Eurocontrol, the European organisation for the safety of air navigation, reporting a 530% increase in cyber-attacks globally between 2019 and 2021 alone. Some 95% of these attacks were financially motivated, leading to a financial loss in 55% of cases and nearly 35% saw the leaking of data, it said.

In India too, there have been a number of incidents on recent times. In May 2021, Air India reportedly suffered a massive security breach where approximately 4.5 million customer records were leaked including their “personal data registered between August 2011 and February 2021” but it said that “no password data was affected.” 

More recently, on 24 May this year, domestic air carrier SpiceJet suffered a ransomware attack in which hundreds of its passengers were left stranded at various airports and inside aircraft. Flight operations took a hit for about four to five hours as flight departures slowed down.