The Cable has shared a report detailing a possible leak of the data of people who booked flights with Arik Air online in 2017. Justin Paine, Head of Trust & Safety at Cloudflare, shared that on September 6 he found a data leak from the airline during a routine search for “open, exposed, or vulnerable Amazon S3 buckets.”
The Amazon Simple Storage Service (Amazon S3) bucket is said be a public cloud storage resource that stores objects consisting of data and descriptive metadata.
He found 994 CSV files in an exposed bucket, he shared, and rows of data containing customer names, email addresses, last 4 digits of credit card used, type of payment card, and hashes of credit card.
The data was eventually secured on October 10, he said, after several attempts to reach Arik Air. He said:
“A total of 994 CSV files were found in the bucket, with some of the files containing more than 80,000 rows of data while other files contained over 46,000 rows of data. Some files contained 3 rows of data.
A further investigation revealed that sensitive information that leaked included customer names, email addresses, internet protocol addresses (IPs) registered at point of purchasing tickets, the hashes of credit cards used and what appears to be the first six digits and last four digits of the credit card used for purchase.
A malicious person could potentially use this sensitive information to target one of these customers of Arik Air for identify theft. With the information included in this leak a fraudster would have plenty of useful data points.
It is possible to map out all flights this user has taken in the 3.5 months contained by this leaked data.
Adebanji Ola, spokesperson of Arik Air, has said a statement will be issued concerning the matter.