An apparent data breach of Indian airline SpiceJet calls into question white-hat tactics to expose network vulnerabilities and protocol.

The airline’s hack, compromising the data of more than 1.2 million passengers, including Indian government officials, was first reported by TechCrunch, which learned of the incident through an unnamed security researcher, who referred to his actions as ethical hacking.

The individual “brute-forced” into the system by using an easily guessed password, and upon alerting SpiceJet never received a response, prompting the leak to TechCrunch, which says it reviewed the impacted database’s contents and won’t reveal the hacker’s identity for fear of violating U.S. computer hacking laws.

SpiceJet possesses a 13 percent of Indian air-traffic market share, daily flying more than 600 aircraft. CERT-IN, the Indian government’s cybersecurity agency, acknowledged the incident and noted protocol wasn’t followed.

Acknowledging the breach, SpiceJet, in a statement cited by TechCrunch, said the “safety and security of our fliers’ data is sacrosanct.” However, the airline’s website makes no mention of the breach.

“Our systems are fully capable and always up to date to secure the fliers’ data, which is a continuous process,” SpiceJet said. “We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”

Industry observers disagree. Javvad Malik, security awareness advocate for KnowBe4, whose chief hacking officer is Kevin Mitnick, shared several concerns. “From the researchers perspective, brute forcing and gaining access to private data is not an acceptable practice. If the researcher had concerns, they should have tried raising it with the airline directly. The airline itself hasn’t apparently followed best practices through by not having a well protected system that is not resilient to brute forcing through account lock outs, monitoring, or 2FA.

Having unencrypted data on so many passengers exposed can be a big issue. Being able to track peoples movements could lead to them being attractive targets of cyber or traditional criminals who may want to use the data to exploit the victims. Affected passengers should also be wary in the coming weeks of any phishing emails that may claim to be from the airline offering a refund or some other hook to get them to click on a link and compromise them further.”

Ben Goodman, senior vice president of global business and corporate development for ForgeRock, noted passwords continue to be “an Achilles heel, creating openings for bad actors to exploit.”

He added such an event should prompt more enterprises to implement passwordless authentication to ensure security.

Anurag Kahol, CTO of Bitglass, agreed that organizations need to employ multi-factor authentication to confirm an individual’s identity before allowing data access. To achieve full visibility and control over customer data, Kahol said “organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive consumer information.”