Arik Air customers’ personal data, credit card numbers, leak online
When customers book flights and pay for their tickets online, they do so in confidence that their personal information are secure.
Some customers of Arik Air, one of Nigeria’s most patronised airline, may just be at risk of being victims of identity theft and fraud after a dangerous leak of their personal data and credit card details.
The leak was brought to public notice on Wednesday by Justin Paine, the head of trust and safety at Cloudflare.
Paine says the leaked data spanned December 31, 2017 to March 16, 2018.
He said since stumbling on the breach during a random scan “for open/exposed/vulnerable Amazon S3 buckets” on September 6, attempts to get Arik Air to address the situation had been unsuccessful.
He only received a reply from the airline on September 24.
The file document contains a whopping 54,011 unique names (mostly Nigerians), 41,304 unique device fingerprint, 65,412 unique emails and 570, 210 unique card transactions.
The data revealed 437,457 of the card transactions were made using Mastercard while 97, 713 were made using Visa.
Since Paine brought the leaked data to public notice, Arik Air has, however, claimed it was not aware of any leak, as it was not using “Amazon S3 bucket” for its hosting services.
The airline’s spokesperson, Ola Adebanji, said: “Our online platforms are up and running and not under attack. Arik Air takes IT security and protection of customer data seriously.”
Meanwhile, Paine has said he was willing to help some customers (with their permission) confirm if their information is included in the leaked data.
He said he would securely delete the data following discussions with Arik Air and the affected customers, as “they may need the data for their own remediation and notification processes.”
He went on to say that he could confirm “action has finally been taken to secure the S3 bucket roughly one month after” the airline was notified.
