If you have traveled on Arik Air in the timeframe of the leaked data (2017-12-31 – 2018-03-16) I’d like to try to locate you in the data (with your permission). https://t.co/XLrdc4Ix1D
— Justin (@xxdesmus) October 30, 2018
He said the data was found during his normal course of scanning for open/exposed/vulnerable Amazon S3 buckets.
From the timeline he provided, it took the airline about a month to respond to his emails. He first noticed the leak on the 6th of September 2018 and notified the airline same day. The carrier finally replied on the 17th of September 2018, of which he was asked to resend an email to another email address provided. Upon sending an email to the provided email address, he was told they will review the situation and never heard from Arik Air again.
The data also show travel patterns of individual passenger.
Likely data that may have leaked
The ICT professional also gave hints on the data that leaked. They include:
The answer — 994 CSV files. Some of these CSV files contain in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases, files only contain 3 rows of data.
Here’s a sampling of the data points that were leaked:
- Customer email address
- Customer name
- Customer’s IP at the time of purchase
- A hash of the customer’s credit card
- What appears to be the last 4 digits of the credit card used.
- What appears to be the first 6 digits of the credit card used.
- A unique device fingerprint (presumably the user’s mobile or desktop device?)
- Type of currency used
- Payment card type
- Business name related to the purchase (more on this below)
- Amount of purchase
- Date of purchase
- Country of origin of the purchase
Where did the leak come from
While the data clearly belongs to Arik Air, the ICT professional, however, stated that the leak may not be directly from the airline, but from one of its payment processors.
“It’s not entirely clear who the owner of this data is as Arik Air didn’t reply with any further clarification or details. That being said it certainly seems likely to be a bucket controlled by Arik Air, or one of their immediate partners/processors.”
Implications of the leak
The data could fall into the hands of fraudsters, who might make transactions on the cards.